Insider Threats: A Mitigation Strategy
Expert Advice on Safeguarding Records"The access to protected health information is getting easier and easier," says Davidson, CEO of Health Informatics Consulting. So it's urgent that organizations of all sizes improve workforce training on appropriate access to electronic health records and other aspects of maintaining patient privacy, she stresses. Plus, hospitals, clinics, insurers and others need to stress the sanctions they'll impose for inappropriately accessing patient information, she adds.
"Internal compliance is one area that's not looked at as closely as others" when it comes to the privacy and security of patient data, she says in an interview with Information Security Media Group.
Organizations need to go beyond initial HIPAA compliance training and send out "constant reminders" to the workforce, she says. And she also calls for working toward building a corporate culture where all staff members know they can feel comfortable reporting insider threats or other potential breaches. She describes a client who has "a secure line internally" for staff to report non-compliance issues.
In the interview, Davidson also discusses:
- Mistakes that covered entities and business associates often make in their HIPAA compliance efforts, including over-reliance on software vendors;
- Why a comprehensive security risk assessment is a fundamental step;
- Advice for complying with the HIPAA Omnibus Rule's breach notification provisions.
Davidson has more than 20 years of experience working with the healthcare, software development and compliance issues. The consultant is also a governor-appointed member of the New Jersey State HIT Commission and co-chairs its Privacy and Security Policy Subcommittee.