Health care providers today increasingly rely on digital and mobile technologies to deliver patient care – sometimes willingly and sometimes under regulatory pressure. With the proliferation of these technologies come new security and privacy challenges.
The benefits of mobility and online access to patient information cut both ways, as mobility and online access mean that protected health information (PHI) can be more easily compromised when accessible online or made mobile beyond a more secure and stationary environment.
The consequences of a breach of PHI can be severe. Medical identity theft, the fraudulent use of someone’s personal identity to obtain medical services, prescription drugs or devices, is just one potential concern. From 2012 to 2013, medical identity theft increased by 19 percent, with more than 300,000 reported incidences, according to a just released study from the Ponemon Institute.
Aside from the reputational harm a healthcare entity can suffer – more than 50 percent of patients lose trust in their medical provider after a breach – a patient’s health may be jeopardized if their medical file is corrupted or altered as a result of a breach.
The Office of Civil Rights within the Department of Health and Human Services, which enforces the Privacy and Security rules under Health Insurance Portability and Accountability Act (HIPAA) states that within the last three and a half years, there have been approximately 80,000 breaches reported.
Now for the good news…protecting PHI and preventing breaches is not rocket science. But as with any effective security solution, it starts with a thorough risk assessment. In the privacy realm, the first step is to conduct a privacy impact assessment or PIA.
A PIA looks at how information is handled throughout an organization. There are several goals of a PIA. The first is to ensure that information is managed in accordance with applicable legal, regulatory and policy requirements regarding privacy.
This first step will help determine the risks associated with collecting, maintaining and disseminating information in an identifiable form in an electronic information system. And now that these information systems may have mobile devices connected to them, what additional risks and mitigation strategies should be considered. Once risks have been identified, organizations can examine and evaluate alternative processes and security solutions to mitigate potential privacy threats.
Stay tuned for our next installment when we will go into more detail about how to conduct a PIA and examine potential solutions. We will also introduce the concept of “privacy by design” and how adhering to its principles can help healthcare providers protect their patients, comply with privacy regulations under HIPAA and protect their reputations by avoiding privacy breaches.
With ASIS International 2013 behind us, I was reflecting on how this year’s event reached a new high for HID Global with the introduction of an exciting and engaging way for customers to interact with our solutions for creating, using and managing secure identities. Throughout the event, our booth was abuzz with virtual market tours, including:
- education and enterprise security administrators wanting to test drive our mobile access, secure issuance and other solutions;
- hospital security directors checking out latest secure identity solutions for healthcare facilities;
- banking IT administrators and security teams in the finance space seeking tailored solutions for access control and online banking security; and
- government security directors looking for more information on how to PIV-enable their access control systems (without having to “rip and replace” their existing infrastructures) using our expanded pivCLASS Government Solutions portfolio.
At the show, we also launched our new iCLASS SE Encoder that was selected as a winner in the 2013 ASIS Accolades Security’s Best competition. As a key highlight of our migration focus during ASIS and a core enabling component of our iCLASS SE platform, the multi-technology iCLASS SE Encoder empowers customers to personalize credentials and manage encryption keys locally, on demand.
Moderated by HID Global president and CEO Denis Hébert, our educational “lunch and learn” took a deeper dive into the issues and success stories around migration from the perspective of representatives from AIG, Academy Of Art University and Houston Methodist Hospital. During the luncheon, these leading organizations walked through how they are working with HID Global to significantly improve their access control infrastructure and position them for emerging technologies such as mobile credentials on smartphones.
There's much more to share regarding our ASIS educational lunch and learn this year, so make sure to stay tuned for further details that are coming soon.
In the meantime, I would like to thank everyone who attended ASIS. Our events are only as successful as the number of customers and partners we have the opportunity to spend time with to understand how we can continually enhance our secure identity solutions to meet the needs of our customers.