Services
Services
SOC & Attestations
SOC & Attestations
Payment Card Assessments
Payment Card Assessments
ISO Certifications
ISO Certifications
Privacy Assessments
Privacy Assessments
Federal Assessments
Federal Assessments
Healthcare Assessments
Healthcare Assessments
Penetration Testing
Penetration Testing
Cybersecurity Assessments
Cybersecurity Assessments
Crypto and Digital Trust
Crypto and Digital Trust
Schellman Training
Schellman Training
ESG & Sustainability
ESG & Sustainability
AI Services
AI Services
Industry Solutions
Industry Solutions
Cloud Computing & Data Centers
Cloud Computing & Data Centers
Financial Services & Fintech
Financial Services & Fintech
Healthcare
Healthcare
Payment Card Processing
Payment Card Processing
US Government
US Government
Higher Education & Research Laboratories
Higher Education & Research Laboratories
About Us
About Us
Leadership Team
Leadership Team
Careers
Careers
Corporate Social Responsibility
Corporate Social Responsibility
Strategic Partnerships
Strategic Partnerships

Protecting Healthcare Data from Employee Errors

A recent Experian Data Breach Resolution and Ponemon Institute study discovered that 55 percent of companies have experienced a data breach due to employee error, and 60 percent of companies believe their employees do not know about the company’s security risks. Furthermore, 66 percent of survey participants admitted that employees are their biggest challenge when developing and implementing data security protocols.

Considering five of the eight largest security breaches have impacted the healthcare industry over the last five years, and 2015 was dubbed “the year of the healthcare industry security breach,” this study should put leaders on red alert.

All it takes is one mistake by one employee to cost your healthcare organization thousands or millions of dollars, not to mention jeopardizing your reputation as a safe and reliable provider. There’s no time to waste. Here’s what you need to do to better protect your healthcare data from employee error.

1. Adopt or Improve a Culture of Security

If a healthcare organization’s CIO is the only one paying attention to IT security—there’s bound to be a problem. To encourage the development of a security-focused culture, healthcare companies need to:

  • Discuss security at the senior executive level and encourage buy-in from both the management- and physician-side of the organization.
  • Get C-suite to publicly back security
  • Label security as the organizational priority
  • Create benchmarks to track security improvements
  • Incorporate security into organizational activities, including system acquisition and medical device platforms
  • Ensure employees understand their roles and responsibilities related to security
  • Hold employees accountable
  • Shift the organization’s approach to security from reactive to proactive

2. Prioritize and Require Employee Training

In the above-mentioned study, only 35 percent of respondents felt their organization’s leaders made employee training and knowledge about data security a priority. This fact creates a distressing catch-22 for healthcare organizations. First, if employees aren’t aware of the security risks specific to their vertical, how can they actively work to prevent them? Second, if leaders aren’t pushing for greater security awareness, training programs generally fail to effectively teach employees how to safely manage data.

Case in point: All the respondents in this study said their organization provided some training on data security. But only half felt that these programs decreased non-compliant behavior. Forty-three percent said that only a single basic course was provided to employees, and top threats (like phishing, social engineering attacks, mobile device security and cloud service utilization) weren’t always a part of the training agenda. To make matters worse, less than half of the companies made data security training a requirement.

Healthcare organizations need to make employee training a priority. Routine security courses should be held throughout the year, and attendance should be mandatory. Furthermore, these programs must be supported and advocated for by upper management to ensure employees take them seriously.

3. Incentivize Compliancy

When there’s no consequence (or no reward) for compliancy with company-wide mandates, employees are far less likely to change their behaviors. Organizations must develop an incentives program to reinforce security compliancy, including punishment for security incidents and rewards for those who do comply or contribute in some way to the betterment of your organization’s security. Furthermore, security should be a part of the employee performance review process, and organizational leaders should discuss risky behavior with employees, along with advice or consequences to ensure such behaviors are avoided in the future.

4. Implement and Monitor HIPAA Administrative Safeguards

One of the major employee-caused security risks facing healthcare organizations today is the accidental exposure of Protected Health Information (PHI). Exposing thousands of patient files is as easy as one healthcare employee trying to help another, and accidentally exchanging information in an insecure way.

HIPAA administrative safeguards are policies and procedures designed to help guide employees in the proper handling of ePHI. This encompasses security training and the delegation of specific security responsibilities to support a safe and effective workflow when dealing with electronic patient data.

Among the most important details related to employee error and HIPAA administrative safeguards is to properly manage accesses and eliminate access for employees who have been terminated or who have left the organization. Employees should only have access to what they absolutely need to perform their jobs. In some cases, patient information doesn’t need to be a part of this catalog and therefore—shouldn't be.

5. Embrace the Value of Security Audits

Audits are generally seen as a necessary evil, but if your healthcare organization truly shifts its focus and adopts a culture of security, the weaknesses an audit may expose should be viewed as valuable information you can use to reinforce protective measures and become impenetrable. Consider a HITRUST certification to support your dedication to security, boost customer confidence in your organization, save money by reducing the number of audit requests and take another step toward that proactive approach to data security we mentioned earlier in this article.  Another option would be an independent third party HIPAA assessment.  This type of assessment can also provide some of the benefits that a HITRUST certification would but at less of a cost.  Many organizations will start a HIPAA assessment and then will look to move toward a HITRUST certification once they have had a third party validate that they have proper controls in place to address the HIPAA requirements.

Human error is inevitable. But with the right safeties in place, healthcare organizations can significantly reduce occurrences and their impact. Work with a globally licensed and qualified security assessor to gain a better understanding of where you currently stand and what you need to do to improve your security stance. 

 Top 15 HITRUST Questions Answered

About DOUG KANNEY

Doug Kanney is a Principal at Schellman based in Columbus, Ohio. Doug leads the HITRUST and HIPAA service lines and assists with methodology and service delivery across the SOC, PCI-DSS, and ISO service lines. Doug has more than 17 years of combined audit experience in public accounting. Doug has provided professional services for multiple Global 1000, Fortune 500, and regional companies during the course of his career.