By: Steve Lineberry, CISA, CISM, NSA-IAM, IEM
"Patients' personal data posted on web site"– Pittsburgh Post-Gazette
"Hackers nab Indiana healthcare workers' personal data"– Chicago Tribune
"Pennsylvania hospitals worry about medical identity theft"
– Johnstown Tribune-Democrat
These are only a few of the headlines that have appeared in newspapers nationwide recently. With dependence on technology increasing and security threats escalating, healthcare companies must take added measures to protect their patients' and employees' private information from falling into the wrong hands.
Information security executives in the healthcare industry lead their peers in feeling the pressures of trying to keep pace with security risks in their organizations, according to a survey conducted by The Executive Alliance and Courion Corporation.
Survey respondents consisted of information security executives representing a wide variety of companies. "Today's information security executives are not only having a tough time taking a proactive stance, but are struggling to keep pace with the increasing risks to their organizations," researchers state in the executive summary.
Technological advances can aid companies in thwarting potential security breaches; however, hackers and other technology-savvy individuals are constantly creating new methods of obtaining valuable information. And unfortunately, company employees often make it easy.
The people priority
Businesses often fight threats to information security with more technology, but information security experts agree a crucial part of maintaining a secure environment lies in a company's people. When asked in the survey which information security issues they would address if budget and resources were not a factor, 34 percent chose "more staff" while 29 percent chose "more technology." While automated programs and tools are a step in the right direction when it comes to enhancing security, they are not enough. Even the most high-tech security devices cannot compensate for security lapses, often made quite innocently, by untrained people.
Many companies distribute handbooks detailing security policies to their employees, but fail to spend adequate time and resources to ensure employees understand and comply with these policies. The FBI Computer Crime and Security Survey stated 10 out of the 15 various business sectors, consisting of 483 respondents, do not believe that their organization invests enough in security awareness. According to the respondents, security awareness training appears to be a prime area for additional funding.
More than compliance
"Healthcare industries are almost split down the middle on whether they believe information security is perceived as a strategic asset or necessary evil," noted researchers of the Executive Alliance and Courion Corporation survey. Twenty-two percent of respondents reported their top priorities in information security are compliance and regulatory issues.
Although information security is regulated for healthcare companies by the Health Insurance Portability and Accountability Act (HIPAA), 20 percent of healthcare companies were "unable or unwilling to implement federal privacy requirements", according to a survey done by Phoenix Health Systems and Healthcare Information and Management Systems Society. Budgeting issues were reported to be one of the top reasons why companies could not or did not comply.
In contrast, the FBI/CSI Computer Crime and Security Survey's 313 respondents reported $10,617,000 in losses due to unauthorized access to information alone. Millions were also lost in areas such as theft of proprietary information and phishing. Companies lose more than money when security risks are exploited; they also lose their reputation. Highly publicized events have driven attention to the impact of information security on a company's brand and reputation at all levels of the business. The cost of implementing information security tactics is undoubtedly much less than the cost of repairing damages from a security failure.
Not only can securing information save time and money, it can serve a company as a strategic asset. Information security can and should be positioned as a business enabler by facilitating superior information security and privacy practices. Building a reputation for prioritizing information security can strengthen patient trust and loyalty. Companies that prioritize superior information security can expect a competitive advantage as well as reap market benefits.
As healthcare companies increasingly rely on technology for information storage and retrieval, they must increase their efforts to heighten security. Good business sense dictates that you take steps to mitigate security risk and strive to protect the company's patients, employees and reputation.
Information security is definitely an area where external testing is prudent. Few small to mid-sized companies have trained IS auditors in house, and even those that do may be too close to the situation to diagnosis problems. External and internal penetration tests conducted by a third-party provider can help to pinpoint areas of weakness.
Likewise, employee training is one of the most cost-effective measures a company can implement to strengthen information security controls. Once employees know what to watch for and how to react, they can be your first line of defense in protecting your company's information assets.
Steve Lineberry is a certified information systems auditor (CISA) and a certified information security manager (CISM) with KraftCPAs PLLC. He may be reached via email at slineberry@kraftcpas.com.
This article, which was originally published in the October 2007 issue of Nashville Medical News, was reprinted with permission.
