10 strategies to protect patient information

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.net-security.org/secworld.php?id=17748

Data breaches, lawsuits, medical identity theft—all cringe-worthy
realities—and the threats to patient data have never been greater. With
cybercrime targeting healthcare, organizations are challenged to manage and
protect sensitive patient data—protected health information (PHI).

Industry experts from the PHI Protection Network (PPN) offer healthcare
security and risk professionals top privacy and security strategies to
implement in 2015 that will protect patient data and meet the demands of
the evolving healthcare and security landscape.

10 strategies to protect patient information:

1. Demand organizational leadership engagement. Workforce training and
safeguards alone will not be effective. Organizational leadership must
embrace and champion compliance as it would any other component of the
organization’s value chain. Leadership must visibly and actively foster a
culture of compliance throughout the organization by setting expectations
and holding all workforce members accountable to the same standards.

2. Find and identify your data. Organizations need to know where their data
lives, where it travels, and in what form (encrypted, identified,
deidentified, etc.).

3. Control PHI workflow and minimize necessary workforce
access.Organizations must find ways to better control PHI workflow within
the organization, and movement outside the organization. This not only
includes safeguarding it from impermissible uses and disclosures, but will
also require integration of HIPAA with other health information protection
activities to ensure a single point of control within the organization.

4. Assess risks. Organizations must have solid processes in place for
assessing risk with new systems, devices, services and partners and
determine how best to use their power as purchasers to weed out those that
don’t meet best security practices.

5. Prioritize third-party vendor management. Organizations will need help
with third-party vendor management to strengthen oversight and review
processes. Note that smaller Business Associates are particularly
vulnerable since they may not have as many resources to devote to security
and compliance, and may be more likely to experience a data breach.

6. Get proactive. The healthcare industry needs to take a proactive stance
when it comes to regulations to protect patient health information.
Companies that go above and beyond baseline protection requirements will be
seen as industry leaders, and patients will choose to use their services
over others.

7. Make privacy an integral part of new technology adoption. The pace at
which new technology is being introduced into the healthcare industry is
increasing, with thousands of new health-related mobile applications
available this year, devices such as Apple Watch, and the Internet of
Things. But we have little evidence that patient privacy or security
features are being considered. The healthcare industry and its technology
service providers need to dramatically improve how they take advantage of
existing technology as well as how they design, construct and deliver new
tools.

8. Measure to Improve. You can’t manage what you can’t measure.The
healthcare industry needs to get better at determining key metrics to
continuously measure and improve security postures.

9. Look for "non-standard" systems as potential PHI data stores. In
particular, voicemail systems, customer service call recording systems, and
closed-circuit television systems could all potentially be storing PHI, but
may not be as carefully safeguarded as traditional IT systems such as EHRs
and patient billing.

10. Instill a culture of security. Every employee is a guardian of the
customer’s data.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!