BreachExchange mailing list archives

Previous By Date Next
Previous By Thread Next

3 tips to prevent a patient information breach

From: Audrey McNeil <audrey () riskbasedsecurity com>
Date: Mon, 23 Nov 2015 17:50:11 -0700
http://www.itbusiness.ca/blog/3-tips-to-prevent-a-patient-information-breach/60425

Both medical professionals and patients today are vulnerable to data
security breaches. But in the worst case scenarios, it is mishandling of
patient data by those same medical professionals that can cause an
information breach. For this reason, professionals today are tasked with
learning how to protect patient data both while handling it and while
storing it. In this post, learn some top tips for protecting patients from
a data breach.

Tip #1: Make sure all devices are encrypted

Any device used to transmit, transport, verify or consult patient data
should be encrypted. The term “encrypted” essentially means that if the
data falls into the wrong hands, it will be unreadable and useless.

Encryption should be enabled for intra-practice, inter-practice and
external data transmission. In other words, if patient data travels
anywhere at any time, it should be encrypted.

Encryption is especially critical for remote staff, who may be traveling
between multiple locations and accessing patient data from their devices at
various points along the way. With encryption, even a lost device will not
compromise sensitive patient data.

For practices using workflow software to streamline and centralize
day-to-day and other routine practice tasks, there is often the ability to
add, authorize, encrypt and (if necessary) wipe or shut down remote mobile
devices that are linked to the software’s central system – this effectively
controls for a breach so long as the missing device is reported promptly.

Tip #2: Set access permission levels

Another key tip for safeguarding sensitive patient data is to set
password-protected permission levels for access to data. For instance,
receptionists, techs and staff responsible for submitting claims to
insurance may have access to a certain level of patient data, while
physicians and surgeons may have access to a much greater level of patient
data.

Setting permission levels will not completely prevent a patient information
breach, but it will control the sensitivity of the data that is exposed and
also provide an easy way to track the breach back to its source and
implement protocols to prevent a recurrence.

Along with setting password-protected permission levels comes the need for
password protocols (to create harder-to-guess passwords) and periodic
password resets. More frequent reset prompts can control for staff turnover
as well as greater data security.

An alternative (or addition) to password protection and access levels is
what is called a “vendor neutral archive.” This tool presents patient data
from one centralized, password protected, encrypted and uniform central
site, thus consolidating both records and minimizing risk of a data breach.

Tip #3: Never share access IDs with colleagues and always log out of shared
devices

Finally, one of the easiest ways to prevent a data breach involving
sensitive patient information is simply to log out after you’ve logged in
and never ever share your login or access ID with anyone else – no matter
how much you think you trust them.

Whether you are accessing patient information on a shared public device or
on your own private BYOD (bring your own device), logging out is the single
easiest and yet most important action you can take to protect yourself and
your patients from a security breach.

And if you ever access sensitive information from a device or terminal
located in an area patients and transients have access to, you should
safeguard your private login information in the same way you would if you
went to withdraw cash out of an ATM using your debit card!

As well, while it may be tempting to share an ID with a fellow employee who
is in a rush, has forgotten their own or doesn’t have one yet, any goodwill
gained by this generosity will soon be eradicated if that colleague then
goes on to steal or expose sensitive patient data.

By putting these three tips into immediate practice, you drastically reduce
the risk of a data breach involving patient information.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!
Previous By Date Next
Previous By Thread Next

Current thread: