[ Monday, August 20, 2007 ]
To think Security, think Identity Theft:
I've posited all along that except for celebrities and sports stars, and a few outliers like people involved in litigation, divorce, gossip, or other types of blackmail, there's really very little risk that someone is going to target an unknown third party's medical records. Unless, that is, they are not looking for medical and health information, but rather for social security numbers and similar information that could be useful for identity theft.
Because of that, I believe that Security Officers at Covered Entities should focus on the goal of preventing ID theft as the vehicle for instituting good data security. To do that, you've got to keep an eye on what other industries are doing, and following the retail industry is a pretty good place to start (at least in issue-raising, if not in execution). This article
in Information Week is a pretty good starting point.
Of course, the other mundane data breach common in healthcare occurs when a non-random person goes looking for records -- in other words, when a nurse, receptionist, or even a doctor goes digging into the medical records of a friend or relative who has been a patient of the covered entity. Medical businesses must look out for this too, but that's easier to do -- just keep up with your audit trails, and if you ever catch someone snooping, fire them loudly. If your employees are afraid they'll get caught, and know they'll be treated harshly if they do, then they'll be much more likely to toe the line and resist the urge to peek. Making an "object lesson" out of a snooping employee will go a long way toward preventing other snoops.
Jeff [10:19 AM]
Blogger: HIPAA Blog - Edit your Template