Technology’s reach has extended to almost all sectors and healthcare is no exception. Healthcare digital revolution has given rise to cloud computing to enable electronic medical record capture to foster collaborative and coordinated care to deliver quality patient care and better clinical outcomes.
Since, according to ONC, at least 76% of the acute care hospitals are now using EHR systems, patient privacy and data security have become big concerns for the US government. In 1996, the Congress enacted HIPAA, or The Health Insurance Portability and Accountability Act, to protect individual’s personal health information. Any electronic record that is created, received, or used, is subject to HIPAA regulations.
To ensure that HIPAA is taken seriously, in 2009, Congress passed the Health Information Technology for Economic and Clinical Health (“HITECH”) Act. This Act imposes stricter penalties for HIPAA violations and expands the entities bound by HIPAA regulations. Business associates of medical offices must now take into HIPAA into account. Violators of HIPAA can now pay up to $250,000 in fines and face up to 10 years in jail.
HITECH also demands that all HIPAA covered businesses prevent unauthorized access to Protected Health Information (PHI). Protected health information(PHI) is any information in the medical record that can be used to identify an individual and that was created, used, or disclosed in the course of providing a health care service such as diagnosis or treatment.Under HIPAA, there are 18 “identifiers” some of which are – names; geographic subdivisions; all elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, and date of death; telephone numbers; electronic mail addresses; health plan beneficiary numbers; etc.
HIPAA’s Data Security rule applies to protect PHI in electronic formats, transmitted by electronic media, or maintained on electronic media. HIPAA compliance data security rules are meant to:
HIPAA and HITECH have compelled organizations to pay attention to data management and security. Even as organizations need to vigilantly guard patient data and information, they should be aware of the real threats to data security.
Any PHI data that is stored, whether on desktop/ on a server / in the cloud, should be encrypted. Encryption obscures your data, making it unintelligible to anyone who doesn’t have the key to decrypt it. With encryption, that data is still protected even after hackers get their hands on it, provided they weren’t able to also steal the encryption key.
As the data shared digitally between doctors and their patients can be extremely useful for enterprising hackers, and any electronic communication is vulnerable to attack, it is important to have a strong encryption for such communication as well.
28% of security incidents come from within the organization, and 66% of malicious hacks are acts of social engineering, a method of intrusion that relies on social manipulation. Social engineering can be as simple as somebody walking in to get your thumb impression for valid reasons and gaining access to data thereby. Insider abuse of privileges continues to be one of the primary threat to protected data.
Lax requirements in vetting a outside vendors, and their adherence to security and privacy requirements clearly spells out lot of challenges for the data protection.
With personal health information in high demand in black market, a whole slew of malware had been cropping up to target healthcare market primarily.These sophisticated and targeted attacks bring real challenge to data management.
Computing paradigm has shifted in past few years and healthcare saw huge impact of it. Applications which were once hosted and used in closed environment have been exposed to outside world support emergence of mobile computing and internet of things. This brings in considerables challenges as far as data transmission, storage, and device security. Old methods to protect information do not work and overall policies reamp is must.
Gone were the days where you could hire someone with just the IT experience to manage your infrastructure. Today’s environment is completely evolving — digital revolution, slew of new devices, anywhere access, bring your own device (BYOD — and require continuous review of IT to validate compliance. An expert, trained with strong exposure to healthcare and IT becomes a necessity.