How to Prevent BreachesSound strategy starts with the audit
"All organizations need to conduct a comprehensive security audit, assessing such questions as 'where is our data, how does it flow and how is it protected?'" says Lisa Gallagher, senior director of privacy and security at the Healthcare Information and Management Systems Society, Chicago.
Recent breaches--whether they involve the thefts of hard drives or laptops, the mistaken release of personal information via Google searches, the mailing of insurance documents containing personal identifiers or the mistaken display of Social Security numbers on envelopes--all point to the need for developing a comprehensive data security strategy that pinpoints weak spots, Gallagher says.
Lack of progress
The HIMSS security specialist laments that despite the enactment of the HIPAA privacy and security rules and the HITECH Act, which beefs up those rules as well as enforcement, many healthcare organizations have made little progress in protecting information during the past decade.
"It's amazing to me that organizations can't get to the point where they understand what their business is in relation to the data that they hold," she says. "It's not just a security risk that's involved; it's a business risk."
Paying the price
BlueCross and BlueShield of Tennessee deserves credit for pointing out that it has spent $7 million so far dealing with the aftermath of the theft of 57 hard drives from a call center, Gallagher says.
"This helps the industry understand, aside from compliance, that security is really and truly a business risk and they need to pay attention to it," she adds.
The role of encryption
Other recent incidents involving the theft of laptops point out the need to carefully consider whether to place patient's information on the devices in the first place, Gallagher says. "But if, for some reason, it's absolutely necessary to have the information on the device, then you've got to be protecting it with encryption."
Information stored on servers within data centers doesn't necessarily have to be encrypted if the organization uses adequate physical security measures, she adds. But if physical security is lacking, encryption is essential, she contends. "You've got to have one or the other."
Gallagher will be one of the featured speakers at an all-day security workshop Feb. 28 at the HIMSS Convention in Atlanta.
To hear an in-depth interview with Gallagher on a broad range of security issues, click here.