Identify and correct vulnerable data risks

HEALTHCARE PRIVACY regulations are getting more stringent, and the industry isn't ready. That's the thumbnail version of a new report by the Deloitte Center for Health Solutions.

"It's a major shift in the scope of where the law applies," says Mark Ford, a Deloitte & Touche principal.

THEFT MORE COMMON THAN LOSS

Given the nature of personal information healthcare organizations collect, it's no surprise regulators are working to tighten security. Given the type of information health organizations collect, including Social Security numbers, insurance identification numbers, payment information and medical provider identification numbers, data fraud and identity theft represent huge risks. Indeed, breaches involving theft are four times as frequent as breaches involving loss or unauthorized access, the second and third most frequent types of breaches, according to the Deloitte report.

While organizations need to thoroughly assess security risks and put comprehensive policies and procedures in place, Ford says implementing, communicating and enforcing a handful of simple security measures can make a big dent in the problem. He notes that laptops are by far the most common location for security breaches because these devices are easily lost or stolen. Using an encryption program and implementing and strong security mechanisms can "help protect people from themselves," Ford says.

A more thorough fix requires stakeholders to assess their current preparedness. Many healthcare organizations are inadequately prepared for privacy and security risks because they lack resources, internal control over patient information or upper management support, according to the report. Others rely on outdated policies and procedures, fail to adhere to current policies or inadequately train their employees.

To stay on the right side of HITECH, Deloitte recommends stakeholders identify and assess their data security risks; develop and implement a security and privacy plan; and communicate organizational expectations and conduct employee training. Finally, organizations must verify that they are conforming to their own policy standards.

"Some of these things are fairly tactical in nature," says Deborah Golden, also a principal. "How do you address a security breach? It may be as simple as gaining a better understanding of your vulnerabilities. The key is sustaining that understanding so you're not constantly in a reactive mode so that you're thinking more strategically and have people and a process in place."

-Shelly Reese