It’s Health IT week! IT, and specifically electronic health records, has become a crucial component of modern healthcare. Good use of technology can make an occupational health office more efficient and patient-focused. It can free up valuable office space with the removal of paper-based filing cabinets and allow quicker access to patient records. A good electronic system can improve reporting and better medical surveillance for vaccinations and required health screenings.
At the same time, electronic systems can become a security risk for the organization. The last several years have seen high-profile corporate breaches and ransomware attacks that have crippled hospital systems for days or weeks. Patient records have been compromised, and sensitive health information has been exposed. How can you best protect your information?
Data breaches can result from independent or state-sponsored hackers, malicious insiders, lost or stolen laptops or cellphones, or employee error. Any organization that houses personal health information (PHI) falls under HIPAA’s privacy rule, which details data safeguards a covered entity must take, including reasonable and appropriate administrative, technical, and physical safeguards to protect PHI. The HITECH Act of 2009 further strengthens the civil and criminal enforcement of HIPAA rules. Any company that houses PHI data must have an adequate security budget and dedicated security staff.
While it is difficult to defend against a dedicated hack, information security is best played on offense. A good security awareness program should have top-level support from the C-suite and should be ingrained as part of the business culture. Establishing a culture of security is critical. Here are a few suggestions for your company to consider:
- Train employees on appropriate IT security measures and enforce the rules. Limit the number of people who can access sensitive data.
- Ensure that your IT security team looks at logs and reports daily. Having an unauthorized hacker on the network is a bad thing, but letting that hacker go unnoticed for months could be a disaster.
- Stay up to date with peers and learn from industry best practices. You do not want to wake up one morning and find your security program is obsolete.
- Know where sensitive data is located on the network. Conduct regular inventory sweeps of your data. If you do not know where the data is, you cannot know if it is adequately protected.
- Don’t house sensitive data that is not required to do business. If you don’t need Social Security numbers, salary information, or email addresses, don’t keep them.
- Encrypt your data. Encryption is a key component in the information security chain and should not be overlooked. Establishing encryption protocols is a must for organizations that are truly dedicated to securing their data.