Article Preview
TopIntroduction
A patient’s personal information, such as address, phone number, and social security number, are all items that may be included and accessible to some or all healthcare employees. PHR (Personal Health Care Records) are available to many who neither touch or need access to patient’s health care informtaitno. Volume of, and access to patient’s health care make them more vulnerable to security breaches, theft, and social engineering attacks. Both hackers and social engineers have successfully found ways to circumvent networked health data systems by simply asking for the information or by finding weaknesses within the system.
Certainly one of the the largest threats to a healthcare systems security may not be outsiders, but rather their own employees. Internal employees actually can pose the largest threat to the security and privacy of information as they can exploit the trust of their co-workers, and they generally are the individuals who have or have had authorized access to the health care organization’s network. As well, they are generallyfamiliar with the internal policies and procedures of the organization. Additionally, internal employees can exploit that knowledge to facilitate attacks and even collude with external attackers (http://www.hhs.gov/news/facts/privacy.html). These standards, as listed below, include management processes, user education and training, and access control:
- •
Security Management Process [161.308(a)(1)] Healthcare organizations must show that they have a consistent set of internal processes, with implementation that is widespread and institutionalized. Processes range from establishing criteria for who has access to what, and who can request certain resources; to ensuring that access rights are revoked immediately upon employee termination;
- •
Security Awareness and Training [161.308(a)(5)] HIPAA requires that staff members be trained and educated concerning the proper handling of PHI. This basic-level security training should include measures such as password management;
- •
Access Control [161.312(a)] HIPAA security regulations require a definition of who has access to PHI within the organization, as well as the rules determining an individual’s right of access, and the reasons for denying access to some individuals.
Despite its legal requirements, however, HIPAA standards as well as healthcare security policies are not always followed. As an example, and according to one report, over “870,000 medical records were exposed in data breaches in just the first quarter of 2013. According to this site, medical data breaches have become a source of chronic pain for healthcare organizations” (http://www.experian.com/blogs/data-breach/2013/05/01/medical-data-breaches-a-source-of-chronic-pain).