Imagine the plight of the affected employees. Just about all their confidential banking, legal and medical data has been compromised. They are susceptible to potential financial losses as well as social ramifications if their sensitive health information is made public. Sony Pictures on their part is in a whole boatload of legal, financial and regulatory trouble. The data breach costs will run in the millions of dollars. This scenario can easily unfold in a healthcare organization given that many of them do not have adequate security measures in place to protect sensitive patient as well as employee data and business data.
Employees need to feel secure that their employer is taking appropriate and reasonable measures to protect their confidential data. What can healthcare organizations do to instill that sense of confidence in their employees, clients and business partners?
As with any business strategy or philosophy, it always starts at the top. The CEO and the senior management team need to make data security a business priority and commit to a culture of data security in their organization. It not what they say but what they do that matters. Understanding where security vulnerabilities exist within their computer systems and their network through a comprehensive risk analysis is a great start. Appropriate access and audit controls for authorizing and monitoring ePHI access need to be implemented, regularly reviewed and updated as required. The data security policy has to be clearly spelled out and documented. It must be reinforced through regular security and HIPAA compliance training and appropriate sanctions for non-compliant behavior.
Senior management should also encourage employees to report any potential data breach scenarios to the upper management. Employees should be able to do this done anonymously if they so choose. Many former SPE employees have stated that they aren’t surprised by the data breach at all, knowing the data security situation at SPE. Many employees had brought their data security concerns to the management but nothing significant was done to address those concerns. This kind of management attitude needs to change.
Investment in data security is routinely looked upon as an expense as it does not directly add to the bottom line. The importance of data security measures is only apparent after a data breach. As medical records become increasingly electronic, the threat of a data breach is also increases exponentially. It is a matter of when and not if. The fact that most healthcare organizations, including physician practices and dental offices do not have adequate security measures in place make them easy and attractive targets for cybercriminals. Even a small physician or dental office is a treasure trove of personal information that can be exploited by criminals resulting in disastrous consequences for the practice and its patients. Hopefully the recent Sony data breach and others at Target and Home Depot will serve as a wakeup call for senior management in healthcare organizations to make data security and HIPAA compliance a business priority.