HIPAA and HITECH – Enough to protect your health records?
I’ve been getting a lot of questions about compliance as more companies reveal that they’ve been breached or hacked – so I thought I’d get your feedback on the issue.
While these episodes have businesses and consumers (including me) paying attention, I’ve also started to become more concerned about another source of sensitive, private data: electronic health records (EHR).
Last year, the Identity Theft Resource Center counted 160 breaches in the medical/healthcare industry, representing 24.2 percent of total breaches and close to 2 million records. That’s a huge volume, and a huge concern. Medical records are a veritable gold mine of personal data, often containing a complete package of all the valuable information criminals need to perpetrate fraud, including: SSNs, DOB and in many cases, insurance and credit card information.
Because many hospitals and healthcare organizations have received funding through the economic stimulus bill to increase their adoption of EHR, many organizations are making the shift. However, if the adoption of EHR is not conducted with the proper security measures in place, you have a recipe for disaster. Sure, there’s HIPAA and HITECH, but these compliance efforts simply force organizations to look at it from a compliance perspective rather than security.
From a security perspective, many organizations that have put specific safeguards in place, frequently focus on preventing access from outsiders. However, we now know that the legacy safeguards of yesterday do little to prevent today’s more sopisticated malware, and do nothing to prevent insiders from taking the data out. With so much sensitive data in one place, we have to adapt the way we are looking at the threats and shift tactics to focus on not only compliance, but also security. We have to stop the bad guys from getting in as well as prevent them from getting taking your data. I know this can seem overwhelming from a budget and resource perspective, but it’s got to be our focus going forward, before cybercriminals begin to further exploit the healthcare sector.
Maybe the first way we can begin to tackle this is for you to share how you have shifted your organizations mindset from simply compliance to now include proactive security. How have you been successful getting buy in from your execs on your security spend?