A quick Internet search reveals hundreds of cases in which laptops and computers containing sensitive patient information were stolen from hospitals or health plans. Even though hospitals and health plans cannot always prevent criminals from stealing these devices, senior leaders should have multiple safeguards in place to protect patient information.
Douglas J. Borg, MHA, CPHRM Director of InsuranceDuke University Health SystemDurham, N.C.Protecting patient data requires a multi-layered approach. Critical components and servers that house sensitive data should be maintained in secure areas that are strictly monitored and controlled. Workstations, interfaced systems, wireless devices and peripherals should also be in secure environments. You wouldn't want a printer that produces reports of lab values in an area that could be accessed by nonemployees, for example. All users should have unique IDs and be required to use strong passwords. Audit logs should be in place to track access and changes to the data. Users should be trained on matters of privacy, confidentiality and accountability for their actions. The system should also have a security plan that addresses network firewalls, data backups, interfacing with other systems, contingency plans for planned and unplanned downtime, and timely installation of security updates and virus protection.
Thomas A. YoungVice President, Chief Privacy and Security OfficerAetna Inc.Hartford, Conn.Data security must be a high priority for a senior management team. Security programs should include a formal security management process that has a regular risk assessment and written IT security policies. The process should also have regular employee training, physical security such as access to facilities and separate access controls governing data centers, controls that limit entry to confidential data based on need to know, adequate security encryption for data, and business continuity planning. Organizations should develop and periodically review plans for dealing with a data security issue. Do not wait for a crisis. There will be pressure for rapid resolution, but accurate analysis and notification is equally important. You need to be able to rely on a solid plan that has been tested, maps out all essential steps, and assigns roles and responsibilities to specific individuals.
-Carrie Vaughan
Magazine
