Information theft doesn't have to keep CIOs awake at night
SEATTLE—If a hospital enacts a proactive plan, the executives at that institution can be less concerned about the potential threat that identity theft and data breach currently pose, according to George H. Bowers, MBA, from the Health Care Information Consultants, who spoke last week at the Society of Imaging Informatics in Medicine (SIIM) annual meeting.

“Information theft is becoming more common dealing with clinical information in healthcare institutions,” Bowers said. He reviewed the recent headlines, including the NHBLI stolen laptop and the UCLA celebrity snooping, noting that these breaches have recently been occurring with disconcerting frequency.

Bowers summarized that whenever this happens, it presents “fairly nightmarish scenarios for the hospital,” which could potentially end up in the press. The exposed patient’s lives could be ruined. It is embarrassing for the hospital, exposing the institution to financial risks. Finally, hospital runs the risk of breaking HIPAA guidelines and can be subject to monetary penalties.

The two HIPAA rules that are applicable are:
  • Privacy rule basically defined what is protected health information (PHI), established in April 2003; and
  • Security rule established the fiduciary responsibility for organizations for the safe keeping of PHI, established in April 2005.
Bowers cited this quote regarding obligations of HIPAA: “Covered entities [hospitals, doctor’s offices, etc.] must maintain reasonable and appropriate administrative, physical and technical safeguards to protect the confidentiality, integrity and availability of their electronic protected health information against any reasonably anticipated risk.”

This summarization of HIPAA leaves a great deal of room for interpretation, Bowers noted.
Hospitals are at serious risk for information theft, including theft of portable devices with PHI, such as laptops, PDAs; keychain disc drives; and smart phones. He said that CIOs also should be conscious of the malicious intent on the part of employees and outsiders. Sometimes in a hospital, “if it’s not bolted down, it could develop legs and walk down,” Bowers said.

To prevent such as acts of theft, Bowers said that the institution should take a series of actionable steps, including:
1. Be prepared with an action plan, and treat information theft not as an “if” event but a “when” event, which includes developing an information security disaster plan and testing it and knowing who to call if something goes wrong.

2. Understand where sensitive data are being stored and taking actions to protect them, which include maintaining sensitive data in a centralized database with restricted access and eliminating local copies of sensitive data.

3. Evaluate physical security, which may include locking down portable devices and keeping sensitive data away from high-traffic areas. Bowers noted the value of security cameras.

4. Keep policies and procedures up to date and reinforce them with staff, which requires consistent education of staff.

5. Ensure data surveillance systems are adequate and being followed, which includes monitoring unauthorized or suspicious access.
Bowers concluded by stressing that “it’s important to be proactive and make an actionable plan. Don’t wait for a theft to begin making a plan.”