How to Prevent Breaches

Sound strategy starts with the audit
How to Prevent Breaches
Recent healthcare data breach incidents are an important reminder of the value of security audits, a security specialist stresses.

"All organizations need to conduct a comprehensive security audit, assessing such questions as 'where is our data, how does it flow and how is it protected?'" says Lisa Gallagher, senior director of privacy and security at the Healthcare Information and Management Systems Society, Chicago.

Recent breaches--whether they involve the thefts of hard drives or laptops, the mistaken release of personal information via Google searches, the mailing of insurance documents containing personal identifiers or the mistaken display of Social Security numbers on envelopes--all point to the need for developing a comprehensive data security strategy that pinpoints weak spots, Gallagher says.

Lack of progress

The HIMSS security specialist laments that despite the enactment of the HIPAA privacy and security rules and the HITECH Act, which beefs up those rules as well as enforcement, many healthcare organizations have made little progress in protecting information during the past decade.

"It's amazing to me that organizations can't get to the point where they understand what their business is in relation to the data that they hold," she says. "It's not just a security risk that's involved; it's a business risk."

Paying the price

BlueCross and BlueShield of Tennessee deserves credit for pointing out that it has spent $7 million so far dealing with the aftermath of the theft of 57 hard drives from a call center, Gallagher says.

"This helps the industry understand, aside from compliance, that security is really and truly a business risk and they need to pay attention to it," she adds.

The role of encryption

Other recent incidents involving the theft of laptops point out the need to carefully consider whether to place patient's information on the devices in the first place, Gallagher says. "But if, for some reason, it's absolutely necessary to have the information on the device, then you've got to be protecting it with encryption."

Information stored on servers within data centers doesn't necessarily have to be encrypted if the organization uses adequate physical security measures, she adds. But if physical security is lacking, encryption is essential, she contends. "You've got to have one or the other."

Workshop planned

Gallagher will be one of the featured speakers at an all-day security workshop Feb. 28 at the HIMSS Convention in Atlanta.

To hear an in-depth interview with Gallagher on a broad range of security issues, click here.

About the Author

Howard Anderson

Howard Anderson

Former News Editor, ISMG

Anderson was news editor of Information Security Media Group and founding editor of HealthcareInfoSecurity and DataBreachToday. He has more than 40 years of journalism experience, with a focus on healthcare information technology issues. Before launching HealthcareInfoSecurity, he served as founding editor of Health Data Management magazine, where he worked for 17 years, and he served in leadership roles at several other healthcare magazines and newspapers.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.