Answer:
Health organizations should adopt the “three E’s” in developing their patient data security program:
Evaluate: Conduct an appropriate risk analysis to catalog the location of patient data and the security measures in place to protect that data.
Educate: Implement comprehensive and consistent security training for the workforce and user base.
Exercise: Hold simulated cyber incidents to test the organization’s response under controlled conditions.
Explanation:
While new technologies promise to transform patient care, they also complicate the task of securing patient data. But patient data will continue to be a lucrative target for cyberattackers. Healthcare providers need to recognize the evolving security challenges in this complex environment.
“Understanding the landscape that you are operating in as an individual organization is key to being prepared. The greater the complexity of the security and data sprawl, the more complex the security data architecture models end up being,” observed Fernando Martinez, senior vice president and chief digital officer at the Texas Hospital Association, in a September 2018 HealthITSecurity.com webcast.
“Being prepared and understanding how all of these things are shaping up in your environment is exceedingly important. How you identify and manage your environment is key to being prepared,” he added.
Martinez recommended organizations conduct risk analysis to ensure patient data is secured and HIPAA compliance is met. A full 88 percent of the 42 organizations that have paid fines to the Office for Civil Rights (OCR) failed to conduct a sufficient risk analysis, he noted.
In a May 2018 article, OCR explained that risk analysis is not penetration testing or compliance gap assessment. But risk analysis needs to include an inventory of all information assets used to create, maintain, retrieve, or transmit patient data, as well as the threats, vulnerabilities, likelihood, impact, and controls associated with that data.
“Most organizations have much of this in some form, but they don’t have a cohesive, singular tool or solution that can bring it together and provide a risk analysis picture for the organization,” Martinez said.
