Magazine
Intelligence Unit Special Reports Special Events Subscribe Sponsored Departments Follow Us

Twitter Facebook LinkedIn RSS

Dealing with Data Breaches

Greg Freeman for HealthLeaders Media, January 23, 2012
Are you a health leader?
Qualify for a free subscription to HealthLeaders magazine.

"We have a two-strike policy. The first time they get counseled and trained again in the HIPAA regulations, and they have to sign a statement that they understand the privacy protections," Moroses says. "The second time can lead to termination."

Continuum hasn't had to terminate anyone yet for violating HIPAA privacy rules, he says, because staff clearly understand not only that complying with HIPAA is the right thing to do, but also that their employer is monitoring them closely. The health system also was an early adopter of data loss-prevention technology, a set of information security tools that is intended to stop users from sending sensitive or critical information outside of the corporate network.

"It looks at every frame going in and out of the Internet and searches for a combination of PHI—Social Security number, address, ZIP code, name—and will flag it with a report saying this looks like PHI,  and then you can investigate what happened," Moroses says.

The beauty of a DLP system is that it shows you what actually happens with PHI, which might not be what your tech professionals expected. The tech experts may think they have plugged every potential hole in the system, every way that PHI could leave without authorization, but DLP will reveal that the information is still leaking out and allow you to trace the origin, Moroses says.

Other technological defenses include encrypting all mobile devices and ensuring that the computer system clears the cache after PHI is viewed, Moroses says. As mobile devices use more and more applications for data transfer and storage, providers face a constant challenge to keep defensive technology up to date, he says. The biggest fear these days is the loss of mobile devices, Moroses says. "It's not some criminal hacking into your system; it's somebody leaving a laptop on the train or the bus."

Continuum uses whole disk encryption on its laptops with PHI, but all the technological solutions rely on a culture that respects privacy, Moroses says.

"It's not a lot of money or something you can't afford," Moroses says. "It really comes down to discipline and a dialogue with the clinical community."


This article appears in the January 2012 issue of HealthLeaders magazine.


Greg Freeman is a contributing writer for HealthLeaders Media.

1 | 2 | 3 | 4 | 5

Comments are moderated. Please be patient.

1 comments on "Dealing with Data Breaches"


Stephen Dailey (1/18/2012 at 12:16 PM)
David: One component of Data Breeches that you did not comment upon is those breaches that do not occur at the provider faciilty and staff level. As a consultant for the Blue Cross and Blue Shield Association in 1994 and 1995 it was routine to access and use Hillary Clinton's Health Insurance Records to introduce staff to the National Accounts Claim System. I recall what I was shown in her insurance claims but will not share it. I was horrified. If health professionals have difficulty keeping their mouths shut and maintaining confidentiality, imagine the mountain 3rd party insurance payors must climb with simple claims examiners looking at records. Sure there are by now changes in policy in place but just imagine. Stephen Giles Dailey, FACHE 3729 Rhetts Landing Belleville, IL 62221