In the world of technology today, consumers often purchase items through the internet using their personal information such as name, date of birth and credit card numbers. This information can easily be stolen from someone who seeks to exploit weakness in a computer network. According, to (Gagne, 2012), “data breaches often occur through technical vulnerabilities, malware, compromised user credentials or opportunist attackers”. Healthcare organizations maintain patient medical and personal information through an electronic source called the electronic health record. Healthcare quality and safety requires that the right information be available at the right time to support patient care and health system management decisions. Data breaches in healthcare have become common within the last few years which is a violation of the Health Insurance Portability Accountability Act of 1996 and patient privacy. Data security is a major concern pertaining to consumers choosing a health care organization to fit their needs.
Care providers and insurance companies face the increased enforcement of regulatory requirements to ensure patients of their personal information secure. The key steps to achieving data security in healthcare organizations is to following policies and procedure, conduct audit trails, data classification, data protection, encryption and disaster recovery/business continuity. Every healthcare organizations must comply with the privacy and security rules to protect patient identifiable information. Patient identifiable information is confidential therefore policies are in place to ensure that organizations security message cuts across departments.
A Data breach is defined by the Department of Human Services as an “impermissible use or disclosure under the privacy rule that compromises the security or privacy of the protected health information.” The Office for Civil Rights and the U.S. Department of Health and Human Services tracks healthcare organizations data breaches that are greater than 500 patients. The types of data breaches include unauthorized access, theft of computers, laptop, and other portable electronic device that contain identifiable patient information. Hence healthcare organizations make it a point of duty to invest and partner with Information technology organization to introduce ways to protect data from breaches. Ways to protect patient data from a security breach are as follows: Health Insurance Portability and Accountability (HIPAA)
Risk Assessment
Audits
Encryption
Authentication
Wireless networks
Healthcare organizations must abide by HIPAA requirements to ensure that there are safeguards in place to guard patient health information in the course of conducting business. A data security breach can occur at any time a patient is seen at ones healthcare organizations. An example of a data security breach is discussing patients’ condition in front of individuals that are not directly involved in the patient care. HIPAA privacy and security rules require proper education and training of the workforce to ensure ongoing accountability for privacy and security of protected health information (PHI).
Employees of healthcare organizations must be thoroughly trained on the policies and procedures pertaining to PHI in order to carry out their job function to maintain the confidentiality of patients and to ensure violations of data security breaches do not occur.
According to (Moore, 2012) “Security risk assessments are gaining a higher profile in the health care field as providers look to prevent data breaches, prepare for government audits and qualify for meaningful use incentive dollars.” Security risk assessments are required by HIPAA and part of the Centers for Medicare and Medicaid (CMS) meaningful use incentive program that requires all providers and healthcare organizations to conduct a risk assessment of their Information Technology systems. This risk assessment allows providers and healthcare organizations to review and address security policies, safeguards, identify threats and uncover vulnerabilities within the system. Conducting audits on employees and healthcare providers is beneficial to a healthcare organization. Healthcare organizations collect and maintain non-clinical personal information that could be used for identity theft purposes, such as Social Security numbers, credit card and insurance account information.
Audits cut down on data breaches and can trace what the associate or healthcare provider views in the electronic health record. Also, the manager of Health Information Management or designee has the responsibility for periodically reviewing unauthorized access to patient records and or reports generated by the system. This action verifies the accuracy and integrity of the associate or health care provider by the way of management occasionally auditing the associate or health care provider access. The system would alert the manager of any unauthorized access by the associate or healthcare provider which is a violation of the organization and HIPAA laws.
Healthcare organizations are entrusted in protecting patient health information. According to Solutions for healthcare “Advocate Health Care – who in August reported the second largest HIPAA data breach to date after four unencrypted laptops were stolen from its facility, compromising the protected health information and Social Security numbers of more than 4 million people – has now been slapped with a class action lawsuit filed by affected patients.” This incident was a breach of patient confidentiality and privacy. The information that was not encrypted was identifiable information that could have been used to defame the characteristics of the patients involved. All healthcare organizations data should be encrypted on computers and laptops to ensure patient privacy is not breached. Encryption allows healthcare organizations to provide consistent protection of confidential information and allows authorized individuals to change the encoded messages back to a readable form when accessed.
Electronic authentication is used for associates and health care providers to have access to patient’s patient health information on a need to know basis to perform one’s job functions. The electronic authentication must be through a secure workstation or a hospital approved device. This will allow the associate or health care provider entry into the electronic health record by using unique identifier as the password. The unique identifier recognizes the associate or healthcare provider in the system by their electronic signature. By electronic authentication healthcare organizations and the information technology team are able to identify data breaches attempted by employees who may not have access to certain patient information. Wireless networks is one of the latest advancements in technology, this enables consumer’s access to the internet from anywhere an internet connection is available. Healthcare providers can use hand-held devices when making rounds in a hospital where the patients’ information is right at the healthcare provider fingertips. Using an unsecure wireless networks is a potential data breach of patient information and violation of HIPAA privacy.
Therefore, it is important for healthcare providers to establish a virtual private network (VPN) where the healthcare provider will acquire a unique user identification to gain access to patients’ information. VPN allows healthcare organizations to maintain private networks that connects to the healthcare organizations internal network and secures remote users while sharing public networks for transmission of data. VPN and encryption work together in securing patient data from hackers and any unauthorized personnel. In conclusion, more than 30 million people have had their protected health information compromised in a HIPAA privacy or security breach, according to data from the U.S. Department of Health and Human Services.
HIPAA-covered entities have handed over some $18.6 million to settle alleged federal HIPAA violations, with $3.7 million of that just from last year. Data integrity remains a critical factor that is necessary to ensure better patient care therefore enforcement of education and regular checks and balance will decrease the frequency of data breaches occurring. Also, securing patient data confidentiality is more important than ever and requires good intentions. It demands a comprehensive security solution built around strong encryption, robust identity management, and policy based management.
References
Breach Notification Rule. (n.d.).
Retrieved November 1, 2014, from
http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/index.html Eastwood, B. (2014, September 12).
12 Tips to Prevent a Healthcare Data Breach. Retrieved October 12, 2014, from http://www.cio.com/article/2368702/healthcare/12-tips-to-prevent-a-healthcare-data-breach.html Gagne, G. (2012, December 27).
Understanding How Data Breaches Can Occur. Retrieved October 10, 2014, from