In order to
protect information systems and data, a best practice is for organizations to
develop and maintain a data security program. Examine the essential
elements of a health care information security program and why each element
identified is essential. Be sure to examine both technology and human
factors.
Columbia, SC, October 30, 2012, “As many as 657,000 S.C.
businesses had their tax information stolen in the massive security breach at
the state Department of Revenue…” (Shain, A., 2012). October 2012, “Hackers were able to breach
more than 60 Barnes & Noble (BKS) stores, including locations in New York
City, Miami, San Diego and Chicago, and obtain credit card information…”
(Graziano, D., 2012). Again in October
of 2012 a Vermont credit union accidently threw away two backup tapes, which
could affect up to 85,000 individuals (Walker, D., 2012). October of 2012 was a busy month for data
breaches. The breaches highlighted above
have nothing to do with the health care industry, but as the proliferation of
EMRs, EHRs, PHRs, mHealth, wireless technology, electronic claims processing
and HIEs continue, HCOs will need to remain vigilant in protecting PHI.
In 2009 Clifton Phua, wrote an article about computer fraud
and security. In it he noted that 81% of
security breaches were from malicious outsiders, 17% from malicious insiders
and 2% from unintentional insiders (Phua, C., 2009). This means that anyone housing sensitive data
must take measures to lock those who would want to get into the systems out, and
to make sure those who have appropriate access do not intentionally or
unintentionally disseminate protected information.
There are several ways to assist in ensuring that data will
not be breached. The first is on the
technology side. These include
firewalls, intrusion detectors and robust anti-virus protection (Phua, C.,
2009). Firewalls stop intruders from
getting into your private network through security rules and other
measures. There are two types, software
firewalls and hardware firewalls. If by
chance someone does get in an intrusion detector will send alerts and
appropriate measures can be taken.
Lastly anti-virus will stop malicious software from getting on the
network, creating back doors for intruders.
On the human side one, HCOs should implement data handling
policies (Phua, C., 2009). Some items in
a policy like this could be:
· Shredding paper and physically destroying hard drives
· Reviewing the what, where and how’s of data
· Background checks on employees
· Auditing employees access to data
· Data encryption on laptops and other portable devices, to protect information in the case of theft (Phua, C., 2009)
· Using strong passwords
And the list goes on.
Another check that can be put in place is the use of thin
clients. These are machines that access
data in a client-server fashion. The
machines can also have copy and paste, USB drives and other ways to export data
disabled (Phua, C., 2009).
In conclusion, when measures are taken to protect PHI, both
the use of technology and ways to recuperate from human error must be taken
into account. Attacks can come from the
inside as well as the outside and breaches can be intentional and unintentional. A wise plan takes all of this into account
and sets up a roadmap towards a more secure infrastructure.
References:
Graziano, D. (2012
Oct 24). HACKERS STEAL CREDIT CARD
INFORMATION FROM 63 BARNES & NOBLE STORES.
Retrieved from http://bgr.com/2012/10/24/barnes-noble-security-breach-credit-card-information/
Phua, C. (2009 Jan
01). Protecting organisations from
personal data breaches. Computer fraud & security, 2009(1),
13 - 18. DOI: 10.1016/S1361-3723(09)70011-9
Shain, A. (2012 Nov
01). Data security breach expands to
657,000 S.C. businesses. Retrieved from
http://www.mcclatchydc.com/2012/11/01/173313/data-security-breach-expands-to.html
Walker, D. (2012 Oct
26). Vermont credit union discards
unencrypted data of 85,000. Retrieved
from http://www.scmagazine.com/vermont-credit-union-discards-unencrypted-data-of-85000/article/265522/
No comments:
Post a Comment