I recently had an opportunity to speak with industry experts and hospital CIOs on the challenges faced by hospitals in securing patient data against breaches. To be sure, there have been a number of highly publicized data breaches involving health providers over the last few months. Some potential security gaps are the result of new technological trends—such as the wave of smart phones and other mobile devices—while others are of a decidedly low-tech variety.
One of the most egregious—and low-tech—incidents occurred last month when a reporter from the Boston Globe discovered paper patient records from four Boston-area community hospitals in a pile at a public dump. Those records included results of laboratory tests, together with patients’ names, addresses and social security numbers. The records were alleged to have been discarded by a local billing company used by the hospitals.
To me, the incident demonstrated that not all breaches can be prevented by secure passwords and firewalls, although those are certainly crucial as hospitals move toward electronic health records. But it’s important to keep in mind that there are really no alternatives to thoroughly vetting outside vendors on which health providers depend on a variety of services.
I recently asked Mac McMillan, who is chair of the HIMSS Privacy and Security Steering Committee, as well as CEO of CynergisTek, Inc., about his biggest concerns over healthcare data security. High on his list is vendor management, by which he means “having a good handle on the security capabilities and precautions of the people you do business with.”
He maintains that it is the responsibility of health providers to do a thorough evaluation of third-party vendors that will have access to a hospital’s protected health information. When evaluating vendors, McMillan says healthcare providers need to ask questions about a potential vendor’s security procedures, put their expectations in a contract, and lay out specific requirements that the vendor must meet in order to do business together.
I think that is common sense, and is good advice for hospitals to guard against all types of security breaches, whether they are sophisticated threats against the electronic health records or sloppy handling of paper records. Both the vendors and hospitals share responsibility in protecting against security breaches, McMillan notes. But it is the hospital’s reputation that suffers when breaches occur.