When Your Security isn’t Secure Enough

Securely protect patients' PHI

Most people can relate to the feeling—you know the one. You pat your pocket or look in your purse and you can’t find your wallet. Panic rushes from your heart and makes a beeline for your brain where the alarm bell begins to sound and you start to sweat.

Ask yourself this…do you have that same reaction when asked to recite your personal health information? What about when you are at your neighborhood pharmacy and they ask for your name, date of birth and address? Do you panic then? You should.

Reuters recently reported that cyber criminals are not targeting credit card information as in years past. PHI is proving to be far more valuable, at 20 times the value of a U.S. credit card. Furthermore, in the hacker world, hospitals are infamous for having low security. With cyber-attacks in the healthcare industry more than doubling in the last five years, are we giving criminals what they want?

The laws require all organizations to be compliant and protect consumers’ personal information. Are you aware of your security protocols? What procedures are in place if you purchase a new phone or lose your current one? How about that copy machine that your office rented and then replaced – did you know that it has a hard drive that needs to be wiped?

Recently at an industry show, I lost count of the number of people who said their training budget was cut or their CFO didn’t want to spend the money for a risk assessment or security awareness and that their IT people were taking a look-see. That may seem like a good idea in theory, but this isn’t your grandma’s organization; times they are a changing. For every sophisticated device there are 100 even more sophisticated cyber criminals waiting to pounce.

About 81 percent of physicians use their own personal mobile devices to communicate with patients.

In 2014, 56% of breaches came from an employee’s unauthorized access to patient data, HIMMS Analytics recently reported. This means more than half of today’s breaches happen in your own office! Remind me not to be seen there.

In 2014 US companies paid the most for security breaches at roughly $195 per record. I do not claim to be a math major, but this seems far more costly than what could have been spent on training and staff education. This number doesn’t take into account the victims who also launched civil suits against the organizations who committed the breach and we are now seeing an influx of negligence lawsuits as well.

Those numbers are horrific, but shouldn’t overshadow this simple phrase: “First do no harm.” This doesn’t mean just when the patient is in your care, but from intake to discharge and while their PHI is in your system, it is your responsibility to protect them from all types of harm.