By: Seth A. Cowand, CISSP
Chief Information Security Officer (CISO)
Cooperative Management and Consulting (Cmac)
On May 16, 2009, NewsChannel9.com reported “thousands of medical records discovered in recycle bin” in Chattanooga, TN. How does this happen in today’s environment of increasing scrutiny, regulation, and oversight in the healthcare arena? It boils down to two things: (1) lack of training and awareness, and (2) lack of an effective and comprehensive information assurance (IA) program.
Because this is not the first, and certainly not the last, data breach in healthcare I would like to provide a short primer on the components of an effective information assurance program. I hope that medical group managers and executives that are reading this information use it to assess whether their respective practice has a comprehensive and effective information assurance program. If it does not, you are opening yourself up to severe fines, liability, and business impact (average healthcare data breach costs $282 per compromised record).
Information Assurance Program: What makes it comprehensive? What makes it effective?
(1) What makes it comprehensive? First, the organization must take a ‘holistic’ approach. There is a difference between computer security and information assurance. Within the corporate compliance program (CCP), an information assurance program must be holistic, meaning:
Ÿ it is designed and implemented enterprise-wide,
Ÿ it includes the appointment of an accountable employee or set of employees responsible for coordination of the IA program. Responsible party(s) must be a part of the executive team or report directly to the executive team (i.e. Chief Information Officer, Chief Information Security Officer, Risk Manager, etc). Hospitals and medical groups commonly make the mistake to place accountability in the IT group, which is a misguided approach.
Ÿ it goes beyond the technology (i.e. computer security).
Ÿ it includes process, procedures, and training to address all areas of IA and protection of sensitive and protected data, including proper hiring practices.
Ÿ it includes hiring a qualified, third party, independent assessor every 2 years to analyze internal and external enterprise wide risks effecting protected health information, electronic protected health information, personally identifiable information, identity theft, and other protected data classes.
Ÿ it must include administrative, technical, and physical safeguards. Safeguards must include the protection of the confidentiality, integrity, and availability of the protected data.
Ÿ Identification of internal and external risks, monitoring of risk mitigation and elimination, and development of reasonable steps to oversee service providers and business associates that access protected and sensitive information, and
Ÿ Evaluation and adjustment of the IA program to reflect results of monitoring, third party, and internal and external assessments that change corporate operations or efficacy of the IA program.
(2) What makes it effective? Clearly the Chattanooga, TN medical group described above does not have an effective program. Why not? Effectiveness is interrelated to the notion of a ‘holistic’ information assurance program. If an organization considers security to be IT related, they have missed the mark. In order to be effective, senior leadership and the executive board must have complete buy-in, communicate buy-in to their respected employees and business associates, and take the proper steps identified above regarding a comprehensive approach. Effectiveness also relates to training and awareness. If executives and medical group managers do not put emphasize on security, they will not implement and require periodic training on security, privacy, and related information assurance topics. According to the Federal Trade Commission, “a well-trained workforce is the best defense against identity theft and data breaches”. Next, effectiveness also requires processes and procedures to be in place to protect, detect, and respond to security incidents and data breaches. Although no one is ever 100% secure, having a comprehensive security program (technology, policy, procedures, training, and assessment safeguards) in place will mitigate the damage resulting from a data breaches and reduce the cost of future liability in legal actions. According to the Federal Sentencing Guidelines for Organizations, organizations are required to: (1) ensure the organization has an effective compliance and ethics program, (2) evaluate periodically the effectiveness of the organizations compliance and ethics program, and (3) periodically assess the risk of criminal conduct and take appropriate steps to design, implement, and modify each requirement to reduce the risk of criminal conduct though this process.
If I could sum this up into one phrase it would be: security is a people problem…not a technology problem.
For more information on healthcare information assurance services and products please visit http://www.cooperativemac.com/
For further information please visit www.cooperativemac.com
References:
“Thousands of medical records discovered in Recycling Bin”
http://www.newschannel9.com/news/newschannel9-978371-records-afternoon.html
“Protecting Personal Information: A Guide for Business”
http://www.ftc.gov/bcp/edu/pubs/business/idtheft/bus69.pdf
“Data-breach costs rising, study finds”
http://www.networkworld.com/news/2009/020209-data-breach.html
Saturday, May 30, 2009
Subscribe to:
Posts (Atom)
