Personal health information ranks among the top information worldwide that is hacked, lost, stolen or otherwise put into security jeopardy, according to the latest Verizon report on healthcare cybersecurity.
Key terms to know
Verizon’s report says personal health data is put most at risk through several ways—and these are key terms to know for senior living data security. They are:
Loss—According to Verizon, loss is the most common way for personal health data to be breached, and it is critical that an organization makes it easy for employees to report incidents of lost data quickly. The sooner the loss is reported, the better the organization can react to the breach.
Misdelivery—Whether it is documents in the mail or electronic information in an email, it amounts to people getting data not intended for them. Electronic misdelivery is more difficult to combat than the misdelivery of paper documents. It is far too easy to accidentally address an email to the wrong person—or even an entire email distribution list. Most paper misdelivery incidents come from mass mailings where the envelope addresses and contents got out of sync, and nobody checked samples before sending it all off.
Disposal errors—This is another error that can cause significant risk to personal health information – whether disposing of paper documents, old computers or laptops. Disposal errors are sometimes the work of the third parties contracted to handle the disposal of paper and electronics not living up to their contracts. Be sure to draft legal requirements for these disposal relationships that include penalties that are commensurate with the severity of a breach, Verizon advises.
Importance of a culture of security
Researchers who study the psychology and sociology of information technology (IT) users have demonstrated time and again how very difficult it is to raise people’s awareness about threats and vulnerabilities that can jeopardize the information they work with daily, says a report by the federal Office of the National Coordinator for Health Information Technology (ONC).
ONC says no cybersecurity measures can be effective unless an organization is “willing and able to implement them, to enforce policies that require these safeguards to be used, and to effectively and proactively train all users so that they are sensitized to the importance of information security.”
In short, each health care practice or senior living home must instill and support a security-minded organizational culture, ONC warns.
One of the most challenging aspects of instilling a security focus among users is overcoming the perception that “it can’t happen to me,” ONC says. “People, regardless of their level of education or IT sophistication, are alike in believing that they will never succumb to sloppy practices or place patient information at risk. That only happens to other people,” the report says.
ONC offers a checklist for helping to establish a culture of cybersecurity, including:
- Educating and training frequently and on an ongoing basis about data security
- Helping managers to set a good example
- Imposing accountability among the entire care team and taking responsibility for information security must be among the organization’s core values
“Protecting patients through good information security practices should be as second nature to the health care organization as sanitary practices,” ONC says.
“We all know incidents aren’t just a single point in time, but if you just think about incidents as a chain of events, you might miss the fact that attacks are more like a waltz around the dance floor than they are a straight line,” says the Verizon report. “You have to mitigate all paths an attacker can take— not just the straight path from point A to point B. The idea is that if you make it more difficult for the attacker to get to their ultimate goal, they’ll move along to an easier target.”