Recent Comments

    How can an organization protect against Patient Identity Theft?

    Darth Vader I was recently asked what could be done from a leadership perspective to help the organization protect against patient identity theft.  The simple answer is to endorse and promote the organization’s security program. What I find all too often is that many healthcare organizations don’t really have a robust security program.

    I continue to be amazed at how many organizations do not to have a HIPAA/HITECH  mandated security program in place or it is woefully inadequate and only because it’s required. What many organizations don’t appreciate is that this is a simple and relatively inexpensive tool that can help improve overall security across the organization as well as protect patient identities.  Believe it or not the HIPAA security rule is a good foundation on which to base your enterprise security policy. It is required anyway, backed by NIST standards and surprise; it will actually improve your overall security.

    The key component of a good security program is a risk management plan. This Plan identifies vulnerabilities, threats, and develops the mitigation strategies. A good risk assessment will reveal that the most likely scenario for an identity theft would be a member of the healthcare staff that has access to PHI. The mitigation would be an aggressive workforce clearance (think background checks) policy which is by the way an addressable HIPAA Security requirement.

    The second key component, that I consider equally important, is a good security awareness training program. One truth that any leader should realize is that even though your people are great and no one would wittingly compromise patient data, the fact is, they are the single most likely and vulnerable target that the hacker has.

    The most exploited threat vectors of today such as APT (advanced persistent threat) start with a targeted phishing (aka spear phishing) attack geared at getting an employee to click on a link to a malware infested webpage. A good security awareness and training program is a cheap and effective way to ensure your people are adequately trained and mindful of situations that could result in an identity theft or larger information breach.

    Keep in mind that it would be EXTREMELY difficult to prove that an identity theft occurred because of a breach at the healthcare facility. That is until the thief is caught, and it turns out to be an employee of your healthcare facility. They used your systems to access that info, you are liable, so,,, what’s the plan? Are you ready to follow the breach notification provisions of HiTech and the Ombudsman Final ? If yes then consider yourselves ahead of the curve. If not, why not?

    So maybe your organization doesn’t have the resources, the time or upper management support but you realize this is important. This is where outside expertise can help build the business case, get the backing and provide the resources to implement the program.

    by Alan Baldwin

    Leave a Reply




    You can use these HTML tags

    <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>