The biggest risks to your organization aren’t technical but on the people side, said Chris Apgar, president and CEO of privacy and security compliance firm Apgar and Associates, speaking during a webinar on data protection presented by DataMotion.
Risk assessment is a HIPAA requirement and good practice. Risk management also is not a one-time event, he said. “Proper risk management needs to be baked in.”
Meanwhile, Apgar noted that the Office of Civil Rights (OCR) has noted that encryption is a reasonable safeguard, and therefore expects organizations to do so.
Aside from working on compliance risks, healthcare organizations also need to look for security holes, he advised. “You may be following the requirements but that doesn’t mean you’re addressing all the risks.”
Organizations also should know where their data are and where they are going. “Don’t assume you know where your data is.” He said his firm worked with a large clinic that said there was no protected health information (PHI) stored on desktops in their environment. “We ran a scan and found PHI stored on 75 percent of their desktops.”
Apgar suggested providers begin with mobile devices because mobile and portable media are one of the highest risks for healthcare organizations today. With minimal tools available to protect data, you can create a hug risk having patient information on someone’s personal device, he said. And that risk is more than just regulatory—it’s a risk to your organization’s reputation, risk of lost business, risk of legal action and risk of a visit from the OCR.
Whether to encrypt everything depends on where the data area and they are moving to. “If data are stored in a secure data center, they do not need encryption. You have to balance your business needs with risk.”
While many think the costs of compliance and risk management are high, it’s actually pretty nominal, said Andy Nieto, health IT strategist for DataMotion.
Considering 29 percent of data breaches are caused by accidental disclosure, organizations should look for opportunities to increase security and efficiency, he said. “Replace faxes with Direct messaging; replace couriers with encrypted emails. Get actionable data, not a picture of the data.”
Protecting PHI is not the end goal, he said. “Protecting information, efficient information flow and getting actionable information is the goal.” He also noted that organizations can benefit in many processes. “Encrypted email can save time and money throughout the invoicing and collections process.”
Nieto noted that 96 percent of physicians use a smartphone as their primary device to support clinical communications. Because it is so accepted in our society, “you must have policies that protect your data. Mobile devices are probably the No. 1 risk in 2015.” A BYOD policy is a must, he said, as is encryption of data in motion because of the number of providers texting.
Apgar added that organizations have to bear in mind ease of use and efficient workflow. “If it’s not easy, it won’t get used,” he said. He also advised that organizations use tools that are a good fit for their particular work environment. Look for solutions that fit the budget, secure data transfer points and will actually be used.
“Training is crucial,” he warned. If employees don’t know how to use the tools or even know they are available, “it won’t happen.” Use also needs to be enforced. Implement proper, realistic sanctions.