A top priority of the healthcare industry is transitioning to electronic medical records and ensuring they are secure and protected in compliance with federal regulations. The Healthcare Professionals Section recently spoke with Richard Mackey, vice president of consulting with SystemExperts and an expert in information technology security, on the issues healthcare organizations face in protecting electronic data.
Unauthorized access of electronic records by healthcare employees has really been an issue in the media lately … what’s your take on the issue?
It’s very important that healthcare organizations regularly audit and update their employees’ data access. For example, let’s say there’s information available in a system listing a patient’s medical condition and location. A medical van driver would need to know the patient’s location, but wouldn’t necessarily need to know details about the patient’s condition. In an improperly managed system, the van driver would see both. It’s fairly common for many organizations to lack formal processes and cross-checks for their information access and privacy policies.
There should be a “life cycle” for information access — if a person changes their duties, their access to data should be updated to include only what they need for their work, instead of just adding new access privileges and leaving the employee able to access other data they no longer need. Also, organizations should be careful to terminate both remote and internal access for former employees.
Many people rely on personal devices, such as laptops or smartphones, to access work data. What steps should healthcare organizations take regarding these devices?
The trend right now is to avoid giving workers access through their privately-owned devices because it’s much more difficult to control security that way. Even controlling and monitoring data access through company-issued devices is difficult. I would recommend against healthcare organizations giving employees access to sensitive data via privately owned devices.
What other areas do healthcare organizations need to address?
One of most difficult aspects of healthcare today is that organizations often don’t prepare for data breaches. There are two problems that can result from a data breach: If the organization was willfully neglectful of security, it will be in real trouble if a breach occurs; and if an organization is doing a reasonable job of data protection but has a breach that isn’t their fault, the organization must respond rapidly to avoid penalties.
A healthcare organization needs to know how to identify what data was breached, how to carry out a notification process, and who to notify. It’s a good idea if organizations make plans assuming they will have a data breach at some point. Some are innocent, like a system glitch that sends information to the wrong people, but this is still a breach as defined under HIPAA. It’s better to assume a breach will happen, prepare for it in advance and have procedures already in place to deal with it.