BEI HIT Blog
Healthcare IT News, December 12, 2014
BEI Commentary: Security incidents/data breaches continue to grow, and healthcare organizations have more at risk than many organizations. This article which summarizes a report from Experian, suggests that healthcare executives need to make security a priority in 2015
Nearly half of organizations across all industries were hit by at least one security incident in the past 12 months, according to the report, which has spurred 48 percent of organizations to invest in security technologies and 73 percent to develop data breach response plans. Cyber insurance policies are another important new strategy, more than doubling in popularity, from 10 percent in 2013 to 26 percent in 2014.
The C-suite “can no longer ignore the drastic impact a data breach has” on an organization’s reputation, says Experian officials. Coupled with the fact that consumers are “demanding more communication and remedies” after a breach occurs, healthcare organizations must put preparedness front and center. Read More
Advance Health Network, 3/15/15
BEI Commentary: Just how bad is HIT security? 7 million. That is how many patient records were breached in 2013, an increase of 137% over 2012. As BEI says, and is also emphasized in the article: encrypt your data.
More than seven million health records in the United States were affected by data breaches in 2013, an increase of 137% over the previous year, according to the annual breach report by Redspin, an information security company based in Carpinteria, California.
Since 2009, there has been a rapid rise in the adoption of electronic health records in the US. There have also been 804 breaches of health information affecting nearly 30 million patient health records reported to the Secretary of Health and Human Services, as required by law. Read More
Washington Post, December 25, 2013
BEI Commentary: This article confirms that healthcare practices need to be vigilent about security.
As the health-care industry rushed onto the Internet in search of efficiencies and improved care in recent years, it has exposed a wide array of vulnerable hospital computers and medical devices to hacking, according to documents and interviews.
Security researchers warn that intruders could exploit known gaps to steal patients’ records for use in identity theft schemes and even launch disruptive attacks that could shut down critical hospital systems. Read More
Reuters, November 8, 2012
BEI Commentary: This is a non-HIT/HIT article. You can see from this that the medical industry is not the only one that has regulatory oversight that requires encryption and other protections. Good computer security is just a fact of life in an increasingly networked world.
Staffers at the U.S. Securities and Exchange Commission failed to encrypt some of their computers containing highly sensitive information from stock exchanges, leaving the data vulnerable to cyber attacks, according to people familiar with the matter.
While the computers were unprotected, there was no evidence that hacking or spying on the SEC’s computers took place, these people said.
The computers and other electronic devices in question belonged to a handful of employees in an office within the SEC’s Trading and Markets Division. That office is responsible for making sure exchanges follow certain guidelines to protect the markets from potential cyber threats and systems problems, one of those people said. Read More
Security becomes a bigger IT issue everyday. Security is not just about protecting websites or servers; appropriate security is required for workstations as well. In fact, HIPAA requires it. Here are a few simple things to think about:
- Make sure each individual on your staff has a unique ID/Password for logging into the EHR. This may seem like a simple thing, but we have seen practices where a common ID/PW is used by people with similar roles. Unique ID/PWs are required to determine who has logged into the EHR and what changes they made.
- Passwords should be strong. Require at least 6 characters with at least one character being alphabetic and one being numeric.
- Place an inactivity timer on each workstation of five minutes. It is quite easy for someone to walk away from a workstation while forgetting that they are logged in. This gives a patient or other staff the opportunity to access the EHR using someone else’s ID/PW. This would result in unauthorized access to ePHI, which is a HIPAA violation.
- Encrypt your hard drives. Some workstations may have ePHI and some may not. Why bother figuring out which is which. If you encrypt the hard drive of each workstation, you will guarantee that you are HIPAA compliant. Encrypting the hard drive should not cost anything. If the workstation is lost, and you are not sure if there is ePHI on the machine, and the machine does not have encryption, that is a HIPAA violation that most likely needs to be reported to the Office of Civil Rights.
- Consider a privacy filter for workstations, especially those in public areas. Privacy filters allow only the user to view what is on the screen. Off angle viewing is blocked. They are very inexpensive and can be purchased for both laptops and desktops.
All of the items above are straight-forward and easy to implement. They can go a long way to protecting the ePHI in your practice!