A recent Experian Data Breach Resolution and Ponemon Institute study discovered that 55 percent of companies have experienced a data breach due to employee error, and 60 percent of companies believe their employees do not know about the company’s security risks. Furthermore, 66 percent of survey participants admitted that employees are their biggest challenge when developing and implementing data security protocols.
Considering five of the eight largest security breaches have impacted the healthcare industry over the last five years, and 2015 was dubbed “the year of the healthcare industry security breach,” this study should put leaders on red alert.
All it takes is one mistake by one employee to cost your healthcare organization thousands or millions of dollars, not to mention jeopardizing your reputation as a safe and reliable provider. There’s no time to waste. Here’s what you need to do to better protect your healthcare data from employee error.
1. Adopt or Improve a Culture of Security
If a healthcare organization’s CIO is the only one paying attention to IT security—there’s bound to be a problem. To encourage the development of a security-focused culture, healthcare companies need to:
- Discuss security at the senior executive level and encourage buy-in from both the management- and physician-side of the organization.
- Get C-suite to publicly back security
- Label security as the organizational priority
- Create benchmarks to track security improvements
- Incorporate security into organizational activities, including system acquisition and medical device platforms
- Ensure employees understand their roles and responsibilities related to security
- Hold employees accountable
- Shift the organization’s approach to security from reactive to proactive
2. Prioritize and Require Employee Training
In the above-mentioned study, only 35 percent of respondents felt their organization’s leaders made employee training and knowledge about data security a priority. This fact creates a distressing catch-22 for healthcare organizations. First, if employees aren’t aware of the security risks specific to their vertical, how can they actively work to prevent them? Second, if leaders aren’t pushing for greater security awareness, training programs generally fail to effectively teach employees how to safely manage data.
Case in point: All the respondents in this study said their organization provided some training on data security. But only half felt that these programs decreased non-compliant behavior. Forty-three percent said that only a single basic course was provided to employees, and top threats (like phishing, social engineering attacks, mobile device security and cloud service utilization) weren’t always a part of the training agenda. To make matters worse, less than half of the companies made data security training a requirement.
Healthcare organizations need to make employee training a priority. Routine security courses should be held throughout the year, and attendance should be mandatory. Furthermore, these programs must be supported and advocated for by upper management to ensure employees take them seriously.
3. Incentivize Compliancy
When there’s no consequence (or no reward) for compliancy with company-wide mandates, employees are far less likely to change their behaviors. Organizations must develop an incentives program to reinforce security compliancy, including punishment for security incidents and rewards for those who do comply or contribute in some way to the betterment of your organization’s security. Furthermore, security should be a part of the employee performance review process, and organizational leaders should discuss risky behavior with employees, along with advice or consequences to ensure such behaviors are avoided in the future.
4. Implement and Monitor HIPAA Administrative Safeguards
One of the major employee-caused security risks facing healthcare organizations today is the accidental exposure of Protected Health Information (PHI). Exposing thousands of patient files is as easy as one healthcare employee trying to help another, and accidentally exchanging information in an insecure way.
HIPAA administrative safeguards are policies and procedures designed to help guide employees in the proper handling of ePHI. This encompasses security training and the delegation of specific security responsibilities to support a safe and effective workflow when dealing with electronic patient data.
Among the most important details related to employee error and HIPAA administrative safeguards is to properly manage accesses and eliminate access for employees who have been terminated or who have left the organization. Employees should only have access to what they absolutely need to perform their jobs. In some cases, patient information doesn’t need to be a part of this catalog and therefore—shouldn't be.
5. Embrace the Value of Security Audits
Audits are generally seen as a necessary evil, but if your healthcare organization truly shifts its focus and adopts a culture of security, the weaknesses an audit may expose should be viewed as valuable information you can use to reinforce protective measures and become impenetrable. Consider a HITRUST certification to support your dedication to security, boost customer confidence in your organization, save money by reducing the number of audit requests and take another step toward that proactive approach to data security we mentioned earlier in this article. Another option would be an independent third party HIPAA assessment. This type of assessment can also provide some of the benefits that a HITRUST certification would but at less of a cost. Many organizations will start a HIPAA assessment and then will look to move toward a HITRUST certification once they have had a third party validate that they have proper controls in place to address the HIPAA requirements.
Human error is inevitable. But with the right safeties in place, healthcare organizations can significantly reduce occurrences and their impact. Work with a globally licensed and qualified security assessor to gain a better understanding of where you currently stand and what you need to do to improve your security stance. If executive buy-in becomes a roadblock, check out this article for ways to push security as a priority among leaders and employees.