Time and again, the US healthcare industry is struggling to defend against the threats to patient data security. But, despite all patient data protection measures taken by the US government, the HIPAA covered entities – medical claims billing and allied organizations, data security breach incidents are still uncontrollable and the breach list is increasing day by day. It is projected that, after the technological advancements, patient data leaks or data losses have not stopped but crossed several hundred in numbers, affecting millions of individuals and costing several hundred million dollars.
Patient Data at risk
On analyzing the recent data leaks, it is found that the following patient data is at risk.
- Patient demographic information
- Patient clinical data
- Patients’ credit, billing and financial information
Causes for Data Leaks
Data leak incidents are high in the US healthcare billing industry involving hospitals, medical claims billing, medical claims processing and other patient data processing entities on a great scale. Also, most of the patient data leaks that happened in the United States belonged to one of the below listed causes
- Phishing – external hackers hacking the secure data of a company
- Insider dealing
- Lethargic attitude
- Poor data security control
- Data theft
- Natural Disaster
- Data migration
- Technology glitches
Information security guidelines to check data leaks & data losses:
All healthcare organizations that deal with patient data should take ownership of patient data security and follow certain guidelines to eliminate threats.
- Portable media policy: These days, most of the healthcare billing organizations follow the ‘portable media policy’ that bans bringing portable storage devices inside work environment. This has to be strictly followed by all healthcare organizations and by all healthcare professionals irrespective of the designation. Prior approval can be given for genuine reasons and that has to be in records. Many researches confirm that banning portable media inside work environment has controlled data thefts to a great extent.
- Multiple Back-up of computer files: Maintaining back-up of computer files is crucial to avoid patient data loss. Taking multiple back-ups of the computer files is inevitable to avoid the probability of data loss due to missing of the back-up files. Also the back-ups should be stored in different locations to avoid data loss due to any unforeseen circumstances.
- Restricted Internet access: A main threat to data security is full access to internet. It is essential that medical claims billing and medical claims processing organizations have control over providing unrestricted internet access to their employees. In certain cases, even unintentional sharing of certain information on internet can lead to data leaks. Moreover, using of file sharing websites and using instant messaging to pass on confidential patient information among peers can be a major threat to patient data security.
- Streamlined Corporate communications: Organization have to be careful while sharing corporate information on social sharing websites. Most of the social sharing websites are meant for connecting with peers, friends and professionals. There are also professional websites meant for sharing of corporate communications, industry related discussions and adverts. It is always good for healthcare professionals who wish to communicate with other professionals through any social sharing web sites, to draft the data to be published, proof read it for any confidential information and then post it. Healthcare organizations should also ensure that unknowingly they don’t add any confidential patient information on their websites.
- Restriction to Shared network: Common sharing of patient data files, remote access to the system, and accessing secure patient data through wireless network can also become a threat to secure information and should be avoided, unless it is an urgent situation.
- Stringent email policy: Organizations should take care that unrestricted email access should only be provided to healthcare professionals for whom, email communication is a must. Webmail access is another important threat to patient data. Usually, the webmail access is provided for employees who travel often or have the option of working from home. Though there is a need to access the emails from a remote place, access can be provided only on a need basis in order to control unethical webmail access. Healthcare professionals should be well trained on information security guidelines pertaining to email policies.
- Media destruction policy: Healthcare professionals have to be cautious while destroying Unwanted or old patient data. Following stringent data destruction policy irrespective of whether the data it is electronic or paper will control data leak of confidential information.
- CCTV monitoring: Using CCTV (The closed circuit television) in work environment for surveillance purposes can prevent intrusion of unauthorized people in to entry restricted zone.
- Biometric access control: Having bio-metric access control in the work place is crucial to prevent intruders who may act as information carriers, from entering the secure work environment. Bio-metric access control makes sure that only authorized people enter the work place and thereby protecting patient information.
Most of the above guidelines can be achieved by having a proper ‘system security plan’ that helps in controlling data leaks & data losses.
Following the US Healthcare Complaince policies– HIPAA, a must:
There are several healthcare compliance policies and rules that lay emphasis on information security. We all know that HIPAA (Health Insurance Portability and Accountability Act) is the most specific compliance policy focusing on patient data security. But, only a few organizations are HIPAA compliant in terms of completely satisfying the demands of patient data security. To ensure safety of patient data, every healthcare organization should ensure that it follows HIPAA and other information security policies.