In the News: ADVANCE for Healthcare Information Executives
THE UNWITTING ACCOMPLICE
When it comes to preventing data breaches, employees can be the best defense or the worst enemy
By Andrew Sroka
Published on: April 21, 2010
There is no debate that the HITECH Act and proliferation of electronic health records (EHRs) are prompting new concerns over the privacy of patient data. As the explosion of soft data unfolds across the industry, health care providers -- from both a regulatory and reputation standpoint -- are struggling to comply with the information security demands that customers, policymakers and regulators are placing on them.
To that end, health care CIOs are feeling the heat. New legislation expands current privacy and security protections for health information and places stringent breach notification requirements on insurers and providers. The new laws also demand that patients get increased control over what medical and personal data are disclosed and to whom, which is forcing CIOs to build systems that closely manage control of information access among employees, contractors, partners and would-be hackers.
Even more daunting is the reality of regulator audits to ensure that privacy practices are in compliance with the new laws. A failure to comply or adequately deal with a data breach can mean running afoul of regulators, potential business disruptions and long-term reputational harm.
The insider threat
When it comes to protecting the privacy of patient data, professional hackers are undoubtedly a chief security concern among technology professionals, but it should not be their only one. Health care CIOs must also focus security resources on another threat: employees. What many fail to realize is that most cyber-security threats against organizations involve insiders. Across the health care space, too many employees have access to sensitive information that they should not be privy to, and the outcome can be catastrophic. Whether the result of human error or deliberate criminal activity, the majority of data security breaches are the result of actions of your own people.
Many data security breaches are the result of employees unwittingly acting as an accomplice to an internal or external threat. In many data-breach cases, there is no malicious intent on the part of the employee even though they are the primary facilitator of the crime. Hackers realize that most employees lack the sophistication and understanding of computer systems and data-sharing, and they leverage that to its fullest extent. As a result, they create strategies to trick employees into sharing private and sensitive information without ever knowing they are doing so.
For example, an employee in a hospital installs file-sharing software on his work computer to listen to music, which the employee perceives as an innocuous activity. In reality, his actions provide an entry point for a hacker to compromise the security of the overall computer network. It is a seemingly innocent step taken by an employee who ultimately enables a cybercrime to take place.
Education will set you free
The “unwitting accomplice” poses one of the greatest threats to protecting patient and organization data. There is no silver bullet solution to this dilemma; CIOs can’t spend their way out of this problem and they can’t flip a switch that will shield an organization’s assets from misuse.
Rather, health care organizations must deploy a layered approach that combines stringent access control with continuous education on data security for all employees. With access control, CIOs must be vigilant about establishing policies and procedures that limit, deny or allow access to information for all employees -- from temporary employees to the CEO of the organization. These “rules” should provide an intuitive, auditable and enforceable framework for managing employee access to data and resources. If there is not a justifiable reason for an employee to gain access to certain data, the system should deny him access. Access control strategies must also include the ability to efficiently terminate access to former employees or consultants who no longer work for the business.
Finally, organizations must educate their employees about data-security and access-control policies, and help them to understand how their decisions and behavior play a critical role in defending the organization from data breaches. Further -- and this is critical -- anybody who is responsible for the management, manipulation or administration of any data that is affected by regulation or compliance, such as protected health information, needs a more sophisticated level of education than the average user. These people need to understand the penalties for non-compliance, what constitutes misuse or mishandling of “protected” data and what types of activities violate various compliance issues.
When it comes to preventing data breaches, employees can be the best defense or the worst enemy. CIOs who embrace this notion will achieve better compliance and data security for their organizations. Perhaps most important, they will enable their companies to do what they do best: provide world-class patient care in a safe and secure environment.
Mr. Sroka is CEO of Fischer International.