Making Breach Prevention a Priority
For example, the federal list clearly illustrates that one of the most common causes of breaches is lost or stolen portable computers and media. As a result, healthcare organizations should take steps to minimize risk, such as by encrypting portable devices or avoiding storing protected health information on them.
Plus, about 20 percent of the incidents have involved business associates, highlighting the need to investigate the security programs of your partners.
The next time senior leadership at your organization balks at spending money on information security, show them the breach list and make them aware of the cost of coping with an incident.
The federal breach tally now lists more than 145 incidents affecting a total of more than 4.8 million Americans.
And you don't want your organization added to the wall of shame because dealing with the aftermath of breaches can be very expensive.
Christopher Hourihan, manager of development and programs at the Health Information Trust Alliance, estimates the cost of dealing with the aftermath of all the major breaches reported to federal authorities so far could hit $1 billion. He bases his estimate on the Ponemon Institute's calculation of an average of $204 in costs for every compromised record, across all industries.
A big chunk of that cost, he notes, is the potential for losing current and future customers because of a lack of trust.
So the next time senior leadership at your organization balks at spending money on information security, show them the breach list and make them aware of the cost of coping with an incident.
But what security steps should you advocate to help avoid breaches?
In a recent presentation, Adam Greene, senior health information technology and privacy specialist at the HHS Office for Civil Rights, which compiles the breach list, offered some tips, including:
- Conduct a risk assessment or update an existing one to pinpoint risks and then address them;
- Make widespread use of encryption. (The HITECH Act interim final breach notification rule contains a safe harbor that exempts organizations from reporting breaches if the information was properly encrypted.)
- Properly train the workforce so they recognize new security challenges. Security policies developed as a result of a comprehensive risk analysis will prove worthless unless staff is aware of them and knows how to comply, Greene stresses;
- Appropriately monitor access to EHRs and maintain physical safeguards to prevent loss or theft;
- Be sure to activate and use all the security features included with an EHR. "It doesn't do anyone any good to have encryption features that are not turned on," he stresses. "And make sure that your hardware supports all of the EHR's security features."
Hourihan adds these insights:
- Work closely with business associates to ensure they take adequate security steps. Relying simply on a business associate agreement "is grossly inadequate," he says. In cases where relatively low risk is involved, organizations should review business associates' documentation of security steps and interview executives about policies and enforcement. In higher-risk scenarios, organizations should consider hiring a third party to review a business associate's security program and develop an action plan.
- Consider whether to limit the amount of patient information stored on mobile and desktop devices, relying instead primarily on network drives and other central storage.
- Require vendors that remotely host electronic health records to spell out their approach to access control, vulnerability management and other security strategies.
- Guard against data loss, such as by banning file sharing programs on computers.