|
Absolute Software Corp., a provider of firmware-based computer theft recovery, data protection and secure asset tracking solutions conducted a study that identified the five computer security risks health care facilities most often face in preventing identity theft caused by data breaches.
Identity theft as a result of stolen or misplaced computers that contain sensitive information has escalated. According to privacyrights.org, there were at least 46 U.S. data breaches involving 62 stolen or lost computers at health care facilities in 2007, resulting in almost five million compromised identities.
"We work with a number of health care organizations," says John Livingston, CEO of Absolute Software. "We asked them to name their top five issues. We gathered what we were consistently hearing among the group and compared it to information we found on privatesurveys.org."
The recent wave of identity theft is especially evident at health care facilities, where a stolen computer could potentially contain the most personal of information for thousands of people. Through its work with health care organizations, Absolute identified the computer security risks most often faced by hospital systems, health management organizations and others with responsibility for electronic protected health information. Here's a rundown of each risk area.
Failure to protect sensitive data
According to the HIPAA's Security Rule, health care organizations must encrypt electronic protected health information (EPHI) stored on open networks such as laptops. However, a recent Research Concepts survey found that 72 percent of IT asset managers believe their own employees--those with access to encryption keys and passwords--were responsible for the most incidents of data breach in their organizations. With lost or stolen mobile computers cited as the cause of nearly 50 percent of data breaches, health care organizations must complement encryption with the ability to remotely delete EPHI from missing computers for the highest level of data protection.
Livingston says published statistics from Gartner show that when theft takes place in an organization, 30 percent of the time an external party is responsible, such as someone stealing a laptop from a car or pretending to be a courier and scooping up a laptop. Since health care organizations are public places, Livingston notes, they are vulnerable to theft by external sources. Good encryption software will help in those situations, but the codes also need to be sophisticated.
"There are a number of things one can do with encryption codes," he says. "Change the password frequently, use long characters involving letters and symbols, don't write the password on sticky notes. Try and string two words together and make a phrase the password."
Complicated passwords can also be a good shield against internal thefts, by people who have regular access to the building. However, in many cases, Livingston says, passwords may not be enough.
"With embedded antitheft technology," he explains, "we can stay in contact with the computer when it is stolen. As soon as the thieves attempt to access the information, we can begin deleting sensitive material while tracking their physical location."
Inability to accurately manage mobile assets
In order to achieve HIPAA compliance, health care organizations must audit the number of computers in their inventory, where they are assigned, who is logging in to them, software installed and each computer's physical location. Recent studies show that most organizations can locate only 60 percent of their mobile computer assets.
Sensitive information on public terminals
Many health care facilities allow public information to be accessed on open-air terminals, such as nursing stations, public information terminals and help stations. These workstations are at great risk of data breaches and information can be easily accessed and downloaded. Unattended stationary computers should always be monitored and protected with an authentication prompt.
According to Livingston, these scenarios raise the issue of balance between security and manageability. A company or hospital wants to make everything easily accessible, but it also needs to be certain that the accessibility has the proper protections.
"Make sure any information on a public terminal is restricted from casual glancing of the screen, or install strong authentication software," he says.
Difficulty implementing a data-security plan
Health care facilities need to institute a comprehensive plan to secure computing assets and sensitive information. Asset-tracking and recovery software should be part of a comprehensive approach, which should also include cable locks, encryption software and secure passwords. The plan must be reviewed and updated consistently to ensure maximum effectiveness.
Reluctance to create a data-breach policy
Few health care facilities have "nightmare scenario" policies in place should a data breach occur. In the event of a data breach, a standard procedure should be in place for timely notification of supervisors, law enforcement, patients and the media. In a data-breach situation, computer theft recovery software solutions can remotely delete sensitive files, track lost or stolen computers, and partner with local law enforcement to recover them.
"A lot of facilities turn their attention to prevention, but don't know how to react if a breach actually occurs," says Livingston. "Most of the time it's the 'It's not going to happen to me' attitude. We have to look beyond that and get proactive with our IT security."
Jim Boyle is assistant editor for ADVANCE for Health Information Executives.
|