TriPoint Healthcare Solutions

Advising, Educating, and Operationalizing Privacy and Security in Healthcare

What is your Greatest HIPAA Threat? Employee Negligence is Top Security Threat among Healthcare Providers and Business Associates!

by Leave a Comment 

We have seen a variety of different issues toping the lists of data breaches in healthcare in 2016.  Some of the issues are: cyber-attacks, ransomware, employee negligence and loss of devices with health information.  With so many moving pieces within a healthcare organization and the increase amount of information being stored and maintained by healthcare organizations and third party vendors (Business Associates), the healthcare industry has topped the list industries most likely to experience a data breach.

The Ponemon Institute recently published the 6th Annual Benchmark Study on Privacy and Security of Healthcare.  We often hear about the large scale data breach and how they impact healthcare organizations, but rarely hear of the small data breaches (under 500 individuals impacted).  The research study conducted by Ponemon Institute indicated that 90% of healthcare organization within the study have been impacted by a data breach and that data breaches have cost the healthcare industry about $6.2 billion.  Most of the participants within the study reported that the data breaches impacting their organizations were small in nature (less than 500 individuals impacted).

Healthcare organizations and business associates have cited that the top security threat that they worry about is employee negligence, which beat out cyber-attacks and mobile device insecurity.  Inattentive and careless actions of employees create more data breaches and issues for organizations that any other threat.  While cyber-attacks are a huge risk to healthcare organizations, human fault such as clicking e-mail links, downloading infected files, and having weak passwords are common reasons for a cyber-attacks.  Some recent headlines with employee negligence and data breach area:
  • Oneida Health Center Dental Clinic – Unencrypted flash drive stolen impacting 2,700 individuals
  • Wyoming Medical Center – Employees click on link in phishing scam email impacting 3,100 individuals
  • UnityPoint Health’s Allen Hospital - Employee snooping impacts 1,620 individuals
  • Children’s National Health System – Misconfiguration File Transfer Protocol impacts 4,100 individuals
  • Ohio Department of Mental Health and Additional Services – Satisfaction surveys sent on postcards impacting 59,000 individuals
  • EqalizeRCM Services – Unencrypted laptop stolen with unknown number impacted
  • Akron General Health System – Unencrypted flash drive stolen impacting 975 individuals
  • Vail Valley Medical Center – Employee copies records to bring to new employer impacting 3,100 individuals
As an organization, it is your responsibility to set your employees up for success when it comes to managing the privacy and security of your organization.  It is more than just complying with regulations and writing policies and procedures, it is about creating an environment where privacy and security is a priority for all workforce members of an organization.  Some key steps to help workforce safeguard and protect patient information:
  • Provide regular and pertinent education and guidance on privacy and security
  • Limit access to workforce members to only what they need to satisfy job requirements
  • Create clear communication processes for all security concerns and potential data breaches
  • Ensure your workforce knows and understands your policies and procedures for privacy and security of protected health information
  • Require strong password to access systems that contain protected health information and change passwords regularly
  • Implement proper safeguards such as encryption to protect data stored on laptops and other portable devices
Establish your practices within your organization and effectively train and manage your staff.  As a healthcare provide and business associate, the responsibility of your employee actions lies on the organization.  Not providing your workforce tools and education for success with the protection of the privacy and security of patient information is only going to have negative impacts on your organization and potentially cause a data breach that could cost the organization millions of dollars.  Be proactive, and provide your workforce with tools and processes to be successful.  Your workforce success is based on an organization!  Create a culture to promote privacy and security protections! 

Resource: Ponemon Institute. May 2016. Sixth Annual Benchmark Study on Privacy and Security of Healthcare Data.  https://www2.idexpertscorp.com/sixth-annual-ponemon-benchmark-study-on-privacy-security-of-healthcare-data-incidents

5 Mistakes in Training the Workforce on Healthcare Privacy and Security

by Leave a Comment

Books and laptopThe privacy and security policies and procedures are in place and updated, encryption of e-mail and computers is completed, risk assessment and mitigation plan is close to done, and business associate agreements are in place, it is time to breathe a sigh of relief and feel confident in your HIPAA Compliance Program.  Right?  What else could have been missed?

WRONG!

Many healthcare organizations fail to understand and effectively prepare their workforce members to understand how privacy and security relates to their specific job.  Workforce members have proven to be one of the top underlying reasons for HIPAA data breaches – both large and small.  Many healthcare organization train staff once per year and assume that education and training is enough to provide workforce members adequate information and tools to support proper understanding of healthcare privacy and security requirements.  What they don’t know, is they might be falling into the one of the 5 top mistakes in managing education and training to workforce members when it comes to privacy and security.

  1. Timing – education is happening yearly (maybe) or upon hire with no additional education provided. Failing to adequately and consistently train workforce members on privacy and security in healthcare can set an organization up for many vulnerabilities in protecting patient information.
  2. Workforce Members – healthcare organizations misunderstand the definition of workforce members and miss training workforce members on healthcare privacy and security requirements. When people are left out of training due to misinterpretation of who is part of the workforce, gaps are created in understanding privacy and security in a healthcare organization.
  3. Methods & Information – using the same methodology and information for training year after year can prove ineffective on gaining the skills and understanding necessary for successful safeguarding of patient information. Re-using the same education materials and methods over and over again is a common practice in healthcare organizations and results in improper education and understanding by workforce members.  Many people learn in different ways and not acknowledging and building training off of many methods can cause some workforce members to never fully grasp the concept of healthcare privacy and security.
  4. Relevant Data – training focused on just the regulations and not on how the specific healthcare organization’s technology and policies and procedures interact with privacy and security compliance can cause issues. By not understanding the current practices of an organization and how the technology supports protection of patient information, an organization creates risks and inconsistencies in day to day practices to safeguard patient information.
  5. Regular Updates – many organizations do not provide regular updates and information on current compliance issues with healthcare privacy and security outside the regular scheduled HIPAA training. Out of sight, Out of mind – without regular updates and current industry concerns, workforce members will push protection of patient information to the back burner and make careless mistakes, potentially causing a data breach.

Privacy and security education should be more than looking at a computer screen, watching a video, answering a few questions, and printing a completion certificate.  Proper training should take part in a variety of ways such as e-mail reminders, staff meeting discussions, current articles, and question and answer sessions.  Successful training should be interactive, relevant, and memorable to the workforce to create understanding and knowledge in the area of healthcare privacy and security.  It is time to start effectively preparing the workforce to help safeguard and protect patient information.  Don’t find your organization making one of the top 5 mistakes when training the workforce in regards to healthcare privacy and security.  Make 2015 the year when you create a robust HIPAA Training program that will properly prepare your workforce for success in safeguarding patient information!

Danika

Recent Posts

Connect With Us

TriPoint Healthcare Solutions
dbrinda@tripointhealthcaresolutions.com
Phone: 612.325.9742
Fax: 763.322.5027