Breach Prevention in Spotlight

May 13, 2011 Posted by
Filed under: Digital Breach Newswire 

Article Author: Howard Anderson

Zero Tolerance for Records Snoops and Other Prevention Tips

Preventing breaches requires comprehensive information security policies, aggressive staff training and, sometimes, bold action as well.

Allina Hospitals and Clinics took the gutsy move of firing 32 employees for looking at the electronic health records of patients involved in a recent mass drug overdose case.

Raising the security awareness of your workforce is your best defense against having a breach incident.

Allina spokesman David Kanihan stresses that the delivery system has consistently enforced its privacy policy by dismissing those who access records without a legitimate reason. “But this is larger in scope than other incidents we’ve had in the past,” he says.
“We take our obligation to protect patient privacy very seriously,” according to an Allina statement. “Anything short of a zero-tolerance approach to this issue would be inadequate.”

Breach Prevention Tips
Zero tolerance for records snooping certainly is a powerful, high-profile breach deterrent. But what other steps should healthcare organizations take to prevent various types of breaches?

“Raising the security awareness of your workforce is your best defense against having a breach incident,” says David Holtzman, who’s on the federal team that enforces the HITECH Act breach notification rule (see: Breach Rule Enforcer Offers Advice).

Holtzman, health information privacy specialist at the Department of Health and Human Services’ Office for Civil Rights, says organizations that successfully create a culture of compliance and promote good data stewardship will “be at lower risk of having a breach or having your data sitting on a laptop that’s unprotected in the airport or in somebody’s car while it’s parked at the grocery store.”

He also contends that “Those organizations that have good foundations of policies and procedures respond better to incidents.”

Based on the breach incidents reported so far, Holtzman also advises healthcare organizations to:

  • Make widespread use of encryption, especially for data stored on various devices, including laptops.
  • “Do not neglect physical safeguards for areas where paper records are stored and used.”
  • Consider reducing risk by using network or enterprise storage rather than storing protected health information on devices, such as laptops or desktops.
  • “Create clear and well-documented administrative and physical safeguards for storage devices and removable media” that are used to store protected health information.

Healthcare organizations must comply with the interim final version of the HITECH Act breach notification rule until the final version is issued, federal officials stress. This week, Susan McAndrew, deputy director for health information privacy at the HHS Office for Civil Rights, said the final version will be released later this year as part of an omnibus rulemaking package, which also will include final modifications to HIPAA

It remains to be seen whether the final version of the breach notification rule will modify, clarify or eliminate the harm standard, which enables organizations to conduct a risk assessment to determine whether a breach incident represents a significant risk of harm and thus merits reporting. Some members of Congress would like to see the provision eliminated in favor of requiring that all breaches be reported. We’re hoping the final version of the rule, at the very least, greatly clarifies the “risk of harm” provision.

Original Story at Gov info security

 

Tags:

Comments

Comments are closed.