Five Common Security Issues Threatening Your Healthcare Facility
Staff-related issues and the complications of new technologies were among the issues addressed Tuesday by Jim Sheldon-Dean, BS, MS, founder and director of compliance services at Vermont-based consulting firm Lewis Creek Systems, LLC, during a session that addressed mitigation strategies for top HIPAA security issues.
Sheldon-Dean presented results of a recent project completed in partnership with Vermont’s designated statewide regional extension center, Vermont Information Technology Leaders (VITL). The project provided assistance with risk analysis to nine critical access hospitals. Among the problems addressed were five common security issues that emerged for multiple providers. The security issues included:
1. Portable devices and remote access. The rapid saturation of devices such as smartphones and tablets into healthcare facilities has challenged organizations to keep their security policies relevant and effective for new technology. Plenty of options exist to make these devices secure, Sheldon-Dean said, but a lack of proper policies and user training presents the biggest issue. And while training is important, audits to make sure users are following protocol is essential. “Encryption is great. But a dumb user will get you every time,” he noted.
Mitigation strategies included restricting access to protected health information, data wiping programs, remote access that provides multiple authorization factors, and taking charge to restrict vendor access.
2. Adverse events. When an adverse event—which can be anything from a security breach to a natural disaster—happens in your facility, you don’t have time to figure out how to handle it. Having a plan already in place is key. “Drills are some of the most valuable things you will ever do,” Sheldon-Dean said.
Preparing for adverse events is a long-term and essential project that requires a planned out schedule and effective time and goal management.
3. Security awareness and training. Adequate training on security policies and processes—and the follow-up to make sure that training sticks with staff—becomes increasingly important as new technology continues to change the game. Sheldon-Dean advised that HIM professionals should encourage all staff to come to them with questions regarding new technology adoption or uses, and recommended using news stories to humanize security issues and help staff relate better to the policies and risks they mitigate.
4. Policies and procedures. During the project with VITL, Sheldon-Dean found that many facilities had a vast amount of overlapping and inconsistent policies in place that rendered them unmanageable. He recommended developing concise policies that were easy to find and understand, and were tailored to the users.
5. Compliance documentation. Sheldon-Dean recommended leveraging resources such as the HIPAA Audit Protocol (http://ocrnotifications.hhs.gov/hipaa.html) and National Institutes of Science and Technology HIPAA Security Rule Toolkit (http://scap.ist.gove/hipaa/) to make sure documentation is prepared and managed properly.
HIM professionals need to implement strategies for mitigating these security issues, but following up on them regularly is the most important step. “Just work out your plan and start the process one bite at a time,” Sheldon-Dean said.
**Follow the news and get insights from AHIMA’s 84th annual Convention and Exhibit being held October 1-3 in Chicago, IL. New articles covering the event will be posted daily. Look for special e-Alert announcements October 1-3 linking you to a full online edition of AHIMA Today, the on-site convention newspaper.