The following is written by Marion K. Jenkins, PhD, FHIMSS, founder and CEO of QSE Technologies.
Many headlines about HIPAA data breaches, and much of the attention around IT security in general, focus on external hackers. Most people envision a bunch of ne'er-do-wells who hide out in some dark corner of the Internet just waiting to hack into your system and steal your data. While this is certainly a constant threat, and you should take the proper precautions to protect your ambulatory surgery centers's IT systems and EPHI (electronic protected health information), you should probably be more concerned about the much more common threats that are caused or enabled by internal users.
Many healthcare users engage in behaviors that can compromise an ASC's IT systems. These can include web browsing to non-business related sites, clicking on pop-up ads, responding to phishing scams, sending e-mails containing EPHI (or attachments containing EPHI) over unsecured e-mail, using their home or personal laptops in the ASC or accessing the ASC's systems remotely from home using a computer that is shared with others who live there. Another big area of concern is just making a mistake while using the ASC's systems, also known sometimes as fat-fingering.
Concerning accessing the ASC's systems remotely from home, one big issue is that home networks are generally not well protected. Extra care should be taken to ensure that any systems that are used to access the ASC network remotely are in a separate, controlled area within the home, and that no other users are allowed access to that system in a way that could possibly compromise the EPHI of the ASC. We have seen many examples where users innocently (or carelessly) let others in their house use the computer and when it was brought back into the ASC it was infested with viruses and spyware.
Browsing to non-business sites can open up the ASC to potential vulnerabilities. There have been many reports on employee online behaviors. At the low end of the cause/effect scale, these behaviors waste the employee's time. If they access websites that are big bandwidth hogs (such as those relating to next month's "March Madness" NCAA basketball tournament), it can affect the productivity of the entire facility. And at the top end of the scale, the behaviors can actually enable outside users to gain access to the ASC's network. The most common modes are music and video sharing using peer-to-peer-based networks or downloading spyware inadvertently, frequently from sites and pop-up ads claiming to protect your computer against spyware.
Don't forget that one of the requirements of HIPAA Security is not only to protect EPHI from unauthorized access, it also requires the ASC to protect EPHI from accidental loss or destruction. This means that an ASC employee who overwrites, deletes or improperly saves EPHI data has in fact committed a HIPAA Security violation. The action required to correct the issue is a function of its severity, but as a minimum the ASC should have procedures in place to prevent it in the first place, and to recover from it in the event it occurs. The most important thing on the front-end is to employ role-based security, where ASC employees only have access to that EPHI data which pertains to their job role. And to recover from the issue, the ASC needs to have a copy of the data "offline" (which is different from off-site) so that the data is not accessible by the user — or by the software.
In summary, internal user-caused or user-enabled threats can represent a much bigger HIPAA Security threat than external hackers. So even if you have secure, hardware firewalls, robust data backup systems, a locked computer room and all your other anti-malware software is up to date, you need to address internal user issues through training, training and more training.
Marion K. Jenkins, PhD, FHIMSS, is founder and CEO of QSE Technologies, which provides IT consulting and implementation services for ASCs and other medical facilities nationwide. Learn more about QSE Technologies at www.qsetech.com. For a copy of the complete HITRUST report, you may email the author at marion.jenkins@qsetech.com.
Read more from Marion Jenkins:
- Surveys Reveal Surging Interest in Healthcare IT by Investors, Providers
- Laptops, Portable Media Represent Leading Cause of HIPAA Data Breaches
- Your Software Vendor: A 'Backdoor' Into Your Surgery Center's IT Systems?