By Greg Park
In my last installment, we focused on the DHHS’ website exposing security breaches of patient data. Since then HIMSS Analytics released a report titled Security of Patient Data, revealing critical gaps in hospital data security, and characterizing hospital data security as more reactive than proactive.
- Healthcare breaches has so-far increased 6% in 2010
- Hospitals underestimate the cost of data breaches. HITECH violations can total $1.5 million
- Patient satisfaction is cited as the primary concern of breaches with financial costs as secondary
- Security is managed in data-silos, creating unwanted gaps in policies and procedures
- 84% of breaches due to lost/stolen laptops or backup tapes and improper document handling
- Hospitals expect an increase in employee background checks
This information provides a road map on where to focus your hospital’s security plan, and we will highlight the benefits of making RAS a part of that plan.
DB Technology’s Best Practices using RAS (document management, document imaging):
- Maximum Login Attempts. User accounts are disabled after X failed login attempts.
- Password Options. Align RAS’s Password setting with your hospital’s policy. This may sound like a no-brainer, but the HIMSS Analytics report clearly shows that overall policy can fail to be enacted throughout all systems.
- Inactivity Timeouts. This is really important! If left unchecked patient data can be exposed on user desktops. At a minimum make sure that each workstation times-out to a password protected screen saver.
- Inactivity Timeouts Part II. User accounts are disabled after X days of logging into RAS. This will ensure that terminated employee logins are deactivated. Studies indicate a large percentage of theft incidents are attributable to terminated employees.
- Role-based access. Devise access based on job description, ensuring users see information specific to their position. This is applicable in all DB Technology products.
- Report Access Logging. It is best practice to “turn-on” audits for all Users and Workflows.
- Access Codes. Access to User Interface functions must be geared towards users’ role. Many hospitals leave this unchecked and allow unrestricted replication of documents. If a user has no purpose printing, emailing or copying reports, deactivate the functions for that user or user group.
- Management Reports. There are a ton of Management Reports that when coupled with audit trail data provide insight into how data is utilized. Perform an unscheduled spot-check and investigate why users are emailing or printing protected data.
- PHI flag. All reports in the RAS Title database can be marked as containing PHI. This is important as it permits PHI specific auditing.
- Last but not least, consider how you are disseminating data. If you are emailing or copying data to network drive space you have lost control. There are many ways to securely deliver data through RAS to all recipients while maintaining a high-level of data protection.
Contact DB Technology if you would like guidance on how to tighten security at your hospital with RAS.