This page contains a Flash digital edition of a book.
Giving You a Headache? 21

portable computer workstations (14%). “Electronic medical record systems, servers, and email messages also are vulnerabilities. But they are less statistically significant,” Greene added.

In breaking down the same healthcare data-breach

stats by the processes involved, Greene said that, “Hackers are indeed a problem, but they are not as significant to healthcare CIOs as their portrayal in the media might lead executives to believe. Hackers account for only 5% of data breaches, while thieves account for 52%.”

Following thieves are non-hackers who somehow

are exposed without authorization to HIPAA-protected patient data. Those incidents account for 20% of data breaches. This type of breach could happen any number of ways. One scenario is that a doctor intends to send PHI to “Patient A” but has the email system prepopulate the “To:” field with “Patient B's” name. Finally, outright loss of data accounted for 16% of breaches, with improper disposal of data checking in at 6%.

“What this highlights is [that] in the race to have top-

notch technical safeguards, it’s very important to not underestimate the importance of both administrative and physical safeguards, because those are going to be the tools, oftentimes, for fighting theft and loss,” Greene said, “Most healthcare data breaches can be prevented with one simple technology fix: Encrypt, encrypt, encrypt.”

Best Practices for Mobile Health Security

As mobile health technology advances, such devices as smartphones and tablet PCs, many of which fit into coat pockets, will create more—and more attractive—targets for thieves. When these devices store patient data locally, theft equals data breach.

To that end, Greene, Lin, and Poropatich offered several

tips to CIOs creating or tuning up their security schemes for mobile health patient interactions:

• Perform a risk analysis before implementing mobile technology: Ferret out weak points and buttress them with security. For example, if you are distributing protected health information on smartphones, imagine the scenario of a physician or patient losing the phone, and determine how to protect the data stored on it well in advance of a breach.

• Create and enforce sound employee policies that prevent improper sharing of information: Privacy and security are separate items and require different maintenance methods. Patient privacy is typically maintained by an organization’s written policies. This covers everything from password sharing to data disposal and will also need provisions for enforcement when errors are made. Security, meanwhile, is technology—such as encryption—that keeps the bad guys from accessing HIPAA-protected data.

• Make security simple: If a password is too hard to remember—or figure out in the first place—employees and patients will not use it or will create workarounds. The same goes for routines built around security policies. One example would be a PC workstation set up to automatically logoff users— after a period of time—to keep unauthorized parties from viewing open medical records.

• Consider an open messaging system: Phones and their networks can be less secure than a PC. If you’re texting or emailing patients reminders about routine care matters (For example: upcoming appointments, tests, or prescription refills) perhaps the most secure HIPAA-compliant method is to make the message itself free of protected health information. One way to do this is to write something along the lines of

“Your doctor has an important message for you at …”, and refer them to a secure Web link where they have to log on with a password to get specifics. “This method keeps sensitive information stored in the cloud, not locally on a phone that can be hacked or lost,” Poropatich said

• Use two-factor, bidirectional authentication: An example of this type of authentication would be checking a password and token at both the device level and the server level. Doing this confirms that the person trying to log onto that Web link to retrieve a message is the actual patient. This authentication method also offers an additional safeguard before HIPAA-protected information is pushed to a smartphone.

“Privacy is what you’re trying to achieve,” Lin said, “Security is what you do to get that.”



Page 1  |  Page 2  |  Page 3  |  Page 4  |  Page 5  |  Page 6  |  Page 7  |  Page 8  |  Page 9  |  Page 10  |  Page 11  |  Page 12  |  Page 13  |  Page 14  |  Page 15  |  Page 16  |  Page 17  |  Page 18  |  Page 19  |  Page 20  |  Page 21  |  Page 22  |  Page 23  |  Page 24  |  Page 25  |  Page 26  |  Page 27  |  Page 28  |  Page 29  |  Page 30  |  Page 31  |  Page 32  |  Page 33  |  Page 34  |  Page 35  |  Page 36