Are your health records at risk? New research by software security firm IS Decisions found reasons to worry. It reports that concurrent logins, manual logoffs, password sharing and the lack of unique logins are putting patient records at risk.
The report by security software provider found that despite HIPAA’s security rules on imposing restricted access to electronic patient health information, 63 percent of healthcare staff are still able to logon to different devices and workstations concurrently, 49 percent are required to manually logoff, and 30 percent do not have unique logins.
The report, ‘Healthcare: data access compliance’, highlights the several issues that have a direct effect to security of information within the healthcare industry. Access to personal data can be life-dependent but there has to be a reliable access management procedure and system in place.
According to the report, 82 percent have access to patient data, which is worrying considering 30 percemt do not have unique logins for this access, making proper user identification impossible.
Not enough training
The report also details security training, for both on-boarding new employees and those who have settled into their jobs. It showed that 29 percent of healthcare professionals did not receive any security training when they were employed and only 55 percent of existing employees received IT security training.
The figures around access, logins and password sharing as well as the IT security training shows the need to firstly, implement a good access management system and secondly train staff to raise awareness and build accountability.
David Childers, fellow at Open Compliance & Ethics Group (OCEG), said in a statement: “70 percent of data losses in healthcare are caused by human error. Both Ponemon and Experian in their latest reports regarding data breach and protection challenged healthcare organizations to ‘step up’ their security posture. Not only did these studies cite the increase in breach event activity but noted the likely rise in legal and regulatory scrutiny that will come in 2016.”
Francois Amigorena, CEO of IS Decisions said, “Unlike an office where employees have designated computers and workstations, doctors and nurses are always on the go, moving from operating theatres to patient rooms and so on. Healthcare organizations need to protect the patient’s right to privacy while ensuring healthcare professionals get the necessary access to provide the best treatment for their patients.
“Information of this critical and confidential nature should only be accessible by authorized users and it really should not be a complicated process. This can be easily achieved with the right combination of implementing access control policies, applying user identity verification and improving user activity auditing.”
See: http://www.isdecisions.com/healthcare/compliance-research-executive-summary.htm for more information.