Your local hospital may be doing a good job of keeping patients virus-free, but are they doing the same for their computer systems?
Security of sensitive data within the Healthcare industry has received critieral attention lately as a number of hospitals, surgeries and healthcare providers have been reported to suffer security breaches over the past 24 months.
It’s certainly nothing to sneeze at- an increasing number of healthcare organisations are facing an increasing need to keep sensitive data secure, whether it’s Protected Health Information (PHI), payment card details, or personal employee information.
The reason why this situation exists is simple- the healthcare industry is as big as they come, and when data breaches take place, it can affect anywhere between one patient to 10 million. Information protection is more important than ever before, but not enough healthcare organisations are taking it as seriously as they should. Its a classic yet dangerous mentality that exists – if we haven’t been breached, then we must be secure.
Below are some practices suggested by Health IT Security to strengthen information in the healthcare supply chain:
1. Identify all business associates and third parties by auditing each functional area within the healthcare organization and mapping what individuals and entities have access to PHI as well as Personally Identifiable Information (PII).
2. Prioritise resources on managing third party risk based on:
A. How important is the third party to patient safety or the financial health of the covered entity?
B. Who is storing information? There is often a greater risk associated with the third parties that are storing information than with those who only have access to it.
3. Ask third parties about their measures in place to protect confidential information and detect/respond to security incidents. Request third party security audit reports from critical vendors and/or create a security assessment process for evaluating and managing this risk.
4. Ensure third parties are in compliance with HIPAA Security and Privacy Rule protection requirements and that they are aware that any subcontractors used are also held to these standards.
5. Integrate this vetting methodology in the standard onboarding procedures for new vendors and third parties. Also, third parties should be continuously evaluated, at least annually, but especially in the event of an ownership change such as a merger or acquisition.
To assist in making many of the above steps simpler and to also enable your 3rd parties to generate evidence of safe PHI and PII storage practices, Ground Lab’s Data Recon was designed specifically for this requirement. It enables system owners to search for PHI as well as a wide-range of other sensitive data types across a broad range of corporate data repositories, and then offer some features to remediate and secure any sensitive data found. It’s core brief is to be simple yet accurate, and ensures that complying with HIPAA and other medical industry compliance initiatives won’t lead to any stress-related illnesses.
Read more about our Data Recon and other data discovery tools on our website here.
Source: Healthcare IT Security
Image source: Drossman Gastroenterology