As it looks like health care issues are going to be in the news again, I thought this would be a good time to discuss what's happening with health care security. A recent Ponemon survey shows that security breaches continue to be a major problem for the health care industry, with the breaches costing hospitals $12 billion over the past two years.
I was able to do an e-mail interview with Jack Hembrough, CEO of VaporStream on the topic, and I asked him what the health care industry needs to do to promote better security. His answer:
To promote better security within healthcare organizations, a uniform system for secure messaging needs to be established in conjunction with strictly enforced corporate policies. As more health systems make the transition to electronic health records (EHR), the need to have security measures around the sharing of patient records and who can access them is crucial. Additionally, personal mobile devices, such as tablets and smartphones, are proliferating and permeating the professional arena. As in all businesses, healthcare organizations need to implement corporate policies surrounding personal mobile device use and have a response plan in place should a device be lost or stolen. Access to the EHRs and personally identifiable information (PII) from personal mobile devices should be restricted to specific employees who have been given individual sign-in credentials.
Over the next few years, the ability to protect patients' PII will be a great distinguisher between the various health systems. In order to ensure the security of EMRs and PII, health systems need to adapt to the new and emerging technologies, implementing and enforcing strategic response initiatives and corporate policies.
One of the major issues is the lack of compliance to regulations now in place. Hembrough told me the problem isn't that the health care industry doesn't want to follow regulations, but that technology is moving so fast that it is difficult for the organizations to keep up. He said:
Medical professionals, for example, use mobile devices to communicate. Email and texting allow real time, valuable information exchanges among practitioners. However, using mobile devices isn't always compliant. For example, having a charge nurse send test results to a doctor's mobile email account, so she can provide proper medical care to a patient, even when off site, is a potential HIPAA violation. The doctor is trying to do the best job she can, using the tools she uses every day, but sharing patient data over a smartphone is non-compliant unless approved, secure software is used.
Technology exists to allow the delivery of private patient information to the doctor while ensuring compliance, data confidentiality and security. However, these confidential messaging solutions are not yet widely implemented and mobile email is.