Breach Prevention: Setting PrioritiesTwo Experts Offer Practical Advice
Failure to follow basic information security practices is a big reason behind many healthcare breaches, says security specialist Mac McMillan.
"This is about people not paying attention to assets, not encrypting things where they should, not providing adequate physical protection," says McMillan, CEO of the consulting firm CynergisTek. He made a presentation with Adam Greene, partner at the law firm Davis Wright Tremaine LLP, at the Healthcare Information and Management Systems Society Conference in Las Vegas.
The top lessons from major healthcare information breaches, according to McMillan and Greene, are:
- Be less concerned with hackers, and more concerned with employees. "Over half of the large breaches have been due to a single cause - theft," Greene says.
- Don't forget to protect paper records. Too often, boxes of medical records are improperly disposed of, Greene says.
- Closely monitor business associates. With about 22 percent of breaches, including many of the largest incidents, caused by business associates, Greene says organizations need to go beyond spelling out expectations in business associate agreements to carefully review and continually monitor business associates' security practices. Organizations need to start with both a legal and security review during the vendor selection process. "If you're going to share PHI with a vendor, doesn't it make sense that they should be able to demonstrate they have a security program before you even select them for consideration?" McMillan asks.
- Be aware of costly sanctions. Massachusetts General Hospital paid $1 million to settle a case involving paper records left on a subway that led to a violation of the HIPAA privacy rule. "If you take the government at its word, it wasn't just a breach, it was an accident waiting to happen," Greene says, referring to the case.
- Conduct a thorough risk assessment. Identify all points of risk within the organization and decide where improvements need to be made, McMillan says.
- Adopt an industry-recognized information security model for measurement of a security program. These include the Health Information Trust Alliance's Common Security Framework and the National Institute of Standards and Technology's risk assessment model, McMillan points out.
- Devote adequate resources to information security technology and training. Healthcare spends about half of what other industries devote to information security, McMillan contends.
Additional Summit Insight:
Hear from more industry influencers, earn CPE credits, and network with leaders of technology at our global events. Learn more at our Fraud & Breach Prevention Events site.