Erin Harris, Editor, Health IT Outcomes
With all the talk about ensuring the security of PHI (protected health information) in the EHR era, 2012 was still a year riddled with health data breaches. As a matter of fact, one of the largest data breaches ever recorded by the HHS occurred last year when a server at the Utah Department of Health containing the PHI of some 780,000 patients was hacked.
Hacking is just one cause of PHI breaches. In fact, a majority of data breaches typically result from a lost or stolen laptop or mobile device left unencrypted. Other breaches occur when employees (or former employees) download, email, or inappropriately share patient information.
I’d like to say that events of 2012 have appropriately alerted healthcare providers to the PHI problem, but there is a high likelihood that data breaches could get worse before they get better. Why? Because we as an industry continue to add complexity to our health IT systems before we fully understand how to secure them. For example, we’re not just talking about EHRs and laptops anymore. PHI is now increasingly being accessed on smartphones and tablet devices that access networks via Wi-Fi and cellular connections. Similarly, clinicians and other healthcare employees now use email and social networks to communicate with colleagues and patients. There are more data endpoints and transmission mediums to consider than ever before, and securing this entire ecosystem is a challenging puzzle.
However, one can’t help but be encouraged by the data presented in our health IT trends survey this year. The focus being placed on securing PHI ranked second only to EHR Adoption & Meaningful Use — an initiative receiving encouragement from federal incentive dollars. Hopefully, 2013 will prove to be the year providers make much-needed progress in the area of PHI security. To do so, consider the following steps:
Appoint a single senior-level executive to be responsible for ensuring the security of PHI in your organization. Couple this with policies for safeguarding your facility’s patient data in nonproduction environments.
Consider all endpoints and mediums that can access and transmit PHI in your security plan. This includes all mobile devices, applications, and social media.
Invest in technologies that transform or mask sensitive data without compromising data integrity. These technologies include encryption, virtualization, mobile device management (MDM), and credentialing/authentication tools.