Don't Let Human Error Compromise Patient Data

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.beckershospitalreview.com/healthcare-information-technology/don-t-let-human-error-compromise-patient-data.html

Many data breaches have humble beginnings: A smartphone is lost at a
conference; a busy healthcare provider uses a receptionist's login when
visiting an office; IT doesn't get the notice to remove network access when
an employee retires. Hackers are often the focus of data security
conversations, while these more "garden-variety" risks are actually the
greatest points of exposure. Employees don't need to be the weak link in
your organization's data security chain. Instead, with a clear message from
leadership and effective communication, employees can be your biggest
security champions.


No one department or group can be solely responsible for implementing data
security practices across the entire organization. And while risk
management or compliance officers are increasingly involved in monitoring
how data protection is handled, day-to-day activities that impact the
security and privacy of sensitive data still remain in the hands of the
employees. Rather than leave the security program to only the technology or
compliance staff, savvy healthcare leaders are instead working to raise
general awareness and develop an expectation across the organization that
security is everyone's responsibility. Technology and compliance are
important, no doubt. They are like the lock on the door — important to
have, but they can't keep someone from leaving the door unlocked or
propping it open and rendering the lock ineffective.

Data breaches can easily result from seemingly innocuous day-to-day
decisions such as "Should I take the time to encrypt this email?" Or, "Can
I leave my company laptop in my car while I go into the store, just
briefly?"  Sometimes the trade-off is simply to conserve time or effort,
while in other instances the situation is less of a deliberate decision,
such as not remembering to notify IT when an employee moves to a new
department and no longer needs the same level of access to patients'
medical records. In every case, the level of awareness and the diligence
applied in the employee's decision-making process is critical to the
outcome. Those day-to-day decisions will be consistently better if the
individual has been given the training and support needed to make the right
choice, no matter if it requires more time or energy.

Emphasize training
The first chance many employees will have to learn about your
organization's data security practices is during new hire orientation. It's
important to maximize the usefulness of that moment by making the
discussion about more than just login credentials and help desk phone
numbers. Instead, use it as an opportunity to discuss the organization's
commitment to protecting patients' personal health information. Give human
resources, IT and managers the tools they need to begin engaging new
employees in a two-way conversation about data protection and the
organization's expectations. It's also a good time to present new workers
with a copy of the processes and procedures they'll need to follow to
safely access sensitive data within your corporate network.

It can be difficult to set aside time for all the training new employees
need, particularly in a busy healthcare environment, but it's imperative to
initially emphasize to new employees that data security is important, as
well as to follow up with frequent reminders and point-in-time instruction
to provide reinforcement. Reminders don't need to be as detailed as initial
training but should offer concise instruction provided at the moment when
employees are performing the task that needs attention to security or
privacy. Management can provide an environment where employees feel
comfortable to ask questions and get clarification on any parts of the
program they don't fully understand by being proactive in raising the topic
of conversation in a non-threatening way. HR should work to ensure that
training is provided when an employee's job duties change in such a way
that warrants a different perspective or level of security. New supervisors
will need to understand any expanded obligations on being attentive to the
security practices of every role in his or her group as well as specific
reporting requirements, like mandatory notification from state laws that
typically apply when a mismailing occurs or a laptop is lost or stolen.

Every organization's culture begins at the top. Leadership matters for this
reason. A leadership team committed to the security of PHI will engage
department managers who then include their direct reports. Supervisors are
often the first place employees turn if they have a question or concern.
Arming managers and supervisors at all levels will enable the message to
permeate your environment. Setting an expectation that all employees will
be alert and correct and/or report deviations from protocol will convert
daily activities across your organization from the risk of inadvertent
exposure to attentive monitoring.

Plan your response
A crucial but often overlooked part of any comprehensive data security
program is an incident response plan that guides employees on how to
recognize a potential breach and what to do about it. In order for
employees to be expected to notice, report and even prevent a security
incident, you must define for them what an incident looks like in their
environment as well as how to report it. A security incident can easily go
unnoticed because you can't see information on a hard drive. It should be
clearly explained to employees that a lost laptop or a medical bill sent
via email or U.S. Mail is a reportable event. The reporting mechanism
should be easily located and used even during non-working hours. An
incident response plan that leaves identification of a security event to
interpretation and does not describe objective signs and symptoms is too
ambiguous to be effective, practically speaking. Instructing employees on
the importance of protecting data is the first step and should be followed
by a conversation about how data breaches happen, what they look like and
what to do if those events or activities are observed. Not only should
employees know what to do if a mobile device is lost or stolen, they should
also have the training to understand what the next step is if they discover
that a patient record has been sent to the wrong place or if a website
requires a password or credit card information to be entered twice.

Well-crafted breach response plans incorporate resources of all necessary
functions and not just IT. Resources from finance to HR to public
relations, legal counsel and IT will all be needed and should be included
in establishing, maintaining and practicing an incident response plan. In a
healthcare organization, business associates who access, process or store
PHI are also likely to be involved, and critical infrastructure vendors,
such as your ISP should be included.

By laying out the steps each person on the breach response team will take
if an exposure occurs, the entire organization will be better equipped to
quickly implement a plan for early identification and a coordinated
response that mitigates exposure and loss. Incident response planning is
both good practice and a required component of HIPAA compliance.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

# OWASP http://www.appsecusa.org
# Builders, Breakers and Defenders
# Time Square, NYC 20-21 Nov
o()xxxx[{::::::::::::::::::::::::::::::::::::::::>

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security offers security intelligence, risk management services and customized security solutions. The 
YourCISO portal gives decision makers access to tools for evaluating their security posture and prioritizing risk 
mitigation strategies. Cyber Risk Analytics offers actionable threat information and breach analysis.