"Those who do not learn history are doomed to repeat it." And we're not talking about grade school. Having a bit of perspective on the flubs and flops experienced by other businesses can help you create a strategy for avoiding those same mistakes.
The Department of Health and Human Services Office for Civil Rights (OCR) has published “Lessons Learned” from data breach reports for 2011 and 2012, and this bit of history is eye-opening.
The report revealed three leading causes for data breaches:
Theft — Someone manages to get their hands on an electronic device, such as a laptop or an iPhone, or on papers containing protected health information (PHI)
Unauthorized access — An unsecured network or facility leaves a big opening for unscrupulous types
Loss — A careless employee loses a thumb drive or a paper folder containing PHI
Incidentally, hacking and incidents of tampering or infiltration network servers and equipment resulted in fewer reports than these three categories, but it affected the largest numbers of individuals overall.
HIPAA security issues can have a high cost in more ways than one. They can damage your facility’s reputation, for starts. But for bottom-line thinkers, these issues can result in millions of settlement dollars.
According to the report, here's what you should focus on:
Risk Analysis and Risk Management —Monitoring and auditing should be ongoing
Security Evaluation — Test early and test often
Security and Control of Portable Electronic Devices — PHI should be stored and transported on electronic devices that properly safeguarded through encryption
Proper disposal of PHI in all forms — Be certain that electronic devices are wiped clean, papers are cross-cut shredded, etc.
Physical Access Controls — You should always know — and control — who has access to what
Training- — Employees must be continuously trained regarding privacy and security policies and procedures
How does your facility stack up? How are you mitigating IT security risks?