The Security Scrutinizer with Howard Anderson

Breach Prevention in the Spotlight Zero Tolerance for Records Snoops and Other Prevention Tips

Allina Hospitals and Clinics took the gutsy move of firing 32 employees for looking at the electronic health records of patients involved in a recent mass drug overdose case (see: Allina Fires 32 for Records Snooping).

Allina spokesman David Kanihan stresses that the delivery system has consistently enforced its privacy policy by dismissing those who access records without a legitimate reason. "But this is larger in scope than other incidents we've had in the past," he says.

Raising the security awareness of your workforce is your best defense against having a breach incident. 

"We take our obligation to protect patient privacy very seriously," according to an Allina statement. "Anything short of a zero-tolerance approach to this issue would be inadequate."

Breach Prevention Tips

Zero tolerance for records snooping certainly is a powerful, high-profile breach deterrent. But what other steps should healthcare organizations take to prevent various types of breaches?

"Raising the security awareness of your workforce is your best defense against having a breach incident," says David Holtzman, who's on the federal team that enforces the HITECH Act breach notification rule (see: Breach Rule Enforcer Offers Advice).

Holtzman, health information privacy specialist at the Department of Health and Human Services' Office for Civil Rights, says organizations that successfully create a culture of compliance and promote good data stewardship will "be at lower risk of having a breach or having your data sitting on a laptop that's unprotected in the airport or in somebody's car while it's parked at the grocery store."

He also contends that "Those organizations that have good foundations of policies and procedures respond better to incidents."

Based on the breach incidents reported so far, Holtzman also advises healthcare organizations to:

  • Make widespread use of encryption, especially for data stored on various devices, including laptops.
  • "Do not neglect physical safeguards for areas where paper records are stored and used."
  • Consider reducing risk by using network or enterprise storage rather than storing protected health information on devices, such as laptops or desktops.
  • "Create clear and well-documented administrative and physical safeguards for storage devices and removable media" that are used to store protected health information.

Healthcare organizations must comply with the interim final version of the HITECH Act breach notification rule until the final version is issued, federal officials stress. This week, Susan McAndrew, deputy director for health information privacy at the HHS Office for Civil Rights, said the final version will be released later this year as part of an omnibus rulemaking package, which also will include final modifications to HIPAA (See: HITECH Mandated Regs Still in Works).

It remains to be seen whether the final version of the breach notification rule will modify, clarify or eliminate the harm standard, which enables organizations to conduct a risk assessment to determine whether a breach incident represents a significant risk of harm and thus merits reporting. Some members of Congress would like to see the provision eliminated in favor of requiring that all breaches be reported. We're hoping the final version of the rule, at the very least, greatly clarifies the "risk of harm" provision.

Fraud in the News

Meanwhile, yet another headline-grabbing breach incident outside of healthcare is calling more attention to security vulnerabilities and fraud threats.

As reported on our sister site, BankInfoSecurity.com, arts and crafts supply retailer Michaels Stores reports that customers at nearly 90 stores in 20 states were hit in a scheme (see: Michaels Breach Bigger Than Reported). Investigators believe legitimate point-of-sale terminals used for debit and credit card transactions may have been swapped out for devices that skim and collect card details. This enabled the thieves to gather debit card information and make withdrawals from victims' accounts.

Stolen healthcare records and medical identities may be even more valuable to the bad guys than stolen credit or debit card information, because the medical information can pave the way for free healthcare. Has your organization taken the necessary steps to prevent fraud?



About the Author

Howard Anderson

Howard Anderson

News Editor, ISMG

Howard J. Anderson is news editor of Information Security Media Group and was founding editor of HealthcareInfoSecurity and DataBreachToday. He has more than 34 years of journalism experience, with a focus on healthcare information technology issues. Before launching HealthcareInfoSecurity, he served as founding editor of Health Data Management magazine, where he worked for 17 years, and he served in leadership roles at several other healthcare magazines and newspapers.




Around the Network