|
In an attempt to streamline inefficiencies, reduce errors and drive down the costs associated with delivering medical coverage and care, healthcare organizations worldwide have transitioned abruptly from a largely paper-based administration system to one based on electronic health records (EHRs). While the widespread adoption of EHRs and new, mobile computing technology have narrowed the administrative gap between healthcare and the standards of other industries, it has exposed another, new threat: data breaches associated with lost or stolen computers. This, coupled with recently-enacted governmental legislation specifically tasking healthcare organizations with controlling access to electronic protected health information (EPHI) has created a new challenge for healthcare Information Technology (IT) departments.
With EPHI stored on laptop computers in the hands of physicians, nurses, HMO brokers and insurance underwriters, health organizations face negative publicity, fines and increased costs if even a single laptop goes missing. Healthcare IT professionals must now demonstrate that they can accurately track computers, protect the information on them and plan effectively for possible loss or theft.
According to the 2003 Health Insurance Portability and Accountability Act (HIPAA) Security Rule, healthcare organizations must use some form of encryption to protect EPHI that is stored on open networks such as laptops2. However, encryption alone does not protect health organizations from the human factor. According to a recent survey of 1,400 enterprises, more than 60% of data breaches are the work of those operating within the firewall – insiders such as employees, contractors and others with ready access to sensitive information3. Intentionally or unintentionally, insiders such as physicians and HMO brokers with wide-ranging access to both EPHI and the necessary passwords and encryption keys represent a glaring hole in security policies that rely heavily on encryption alone.
Single-point security solutions cannot adequately protect healthcare organizations from all points of possible data breach. Instead, a multifaceted or layered approach to computer security and data protection is required, comprised of “CPR”: Compliance, Protection and Recovery:
- Compliance – Complying with all applicable mobile data protection regulations, with an easily accessible audit trail
- Protection – Protecting data on mobile computers includes encryption, strong authentication and the ability to remotely delete sensitive data on stolen devices
- Recovery – Recovering lost or stolen devices returns them to the control of the organization and facilitates prosecution.
By adopting the multilayered CPR approach to computer security, healthcare organizations can minimize the risks to health information resulting from lost or missing computers. Together, documented security policies, physical theft prevention, accurate IT asset tracking, encryption, remote data delete and theft recovery capabilities provide the highest level of protection available to healthcare organizations.
In 2008, one in every two computers in the world will be a laptop.5 Health organizations including health maintenance organizations (HMOs), clinics, hospitals and related organizations such as pharmacies and home care services are participating in this trend. At the same time, pressure to drive down costs and improve administrative efficiency has fueled a convergence of electronic protected health information on laptops6. Together, these trends make healthcare organizations uniquely profitable targets for would-be identity thieves and other computer criminals.
For Payers
Unlike their colleagues in other areas of corporate business who may have access to isolated pieces of personally identifying information such as an address or credit card number, information contained in the laptops of healthcare organizations is incredibly comprehensive.7 Serving as a vital connection point between employers, individuals and a myriad of provider contacts, payer records typically include: names, social security numbers, treatment information, credit histories, physical addresses and current contact information. Because this information is often handled by a complex network of thirdparty brokers, sales managers, admin. staff and underwriters – many of whom take their laptops home – payers are natural targets for sophisticated computer criminals such as identity thieves.
For Providers
The access to information afforded by laptop computers enables anytime, anywhere decision making in a provider environment while dramatically reducing opportunities for errors in administrative processes. Operating on the mantra that health information should be at the bedside because that is where the patient is, physicians, nurses and admin. staff use laptops containing EPHI such as treatment information. However, holdovers from paper-based administrative systems often mean these laptops also contain non-clinical data used as patient identifiers – most often social security numbers.
|
