Last week, we brought up some startling statistics about data breaches in the health industry. Among the most significant of those was the fact that the number and severity of breaches has not decreased since we last wrote about them in 2010. Instead, the number of breaches had increased by 32%. We looked at the causes of those breaches and found that, as usual, the majority of them were due to employee error, lack of security, and lazy or “sloppy” security practices.
It seems clear, then, that the first step in solving the issue of data security in health care is to start with the workers.
Accidents will always happen. No amount of security can prevent that, but that doesn’t mean that security training is a wasted effort. “More than 80 percent of healthcare organizations use mobile devices that collect, store and/or transmit some form of PHI,” says last week’s Ponemon study. “Yet, half of all respondents do nothing to protect these devices.” File encryption, passwords, and limited remote access are simple steps that could prevent stolen devices from spreading sensitive data.
Even more simply, employees could be better trained to monitor and protect mobile devices. We used the example last year of a sensitive file left in the back seat of a public cab, and now the same thing is happening with cell phones, tablets, and laptops. Health workers need to be trained in the dangers of such careless behavior, if we are ever going to see a change. But, there is a larger problem at the core of the issue.
Health administrators need to re-think their security policies. Ponemon’s study pointed out some very large flaws in this area.
Only 22 percent of organizations say their budgets are sufficient to minimize data breaches. 83 percent of hospitals have clearly written policies and procedures to notify authorities of a data breach, but 57 percent don't believe their policies are effective. The research indicates that the closer the personnel are to the data-such as billing and IT-the higher the probability of not following policies and procedures. 42 percent of respondents say administrative personnel in their organizations do not understand the importance of protecting patient data.
The numbers here tell the whole story. Nearly half of the participating health organizations do not see any importance in protecting patient data. Even more feel that existing policies aren’t effective. If so many people see problems in existing security policies, why is no one looking at improving them?
Pam Argeris is a thought leader in the Healthcare Industry and possesses extensive, hands-on experience with CMS compliance, and multiple regulatory bodies such as NCQA, JACHO, and DOI. In her role at Merrill Corp., Pam focuses on developing solutions for compliance and quality assurance, delivered in a cost effective manner to improve beneficiary and prospect communications. You can contact Pam at Pamela.Argeris@merrillcorp.com.