Request a Quote

Executive provides advice on how institutional staff can better protect data security

October 27, 2014

Data Protection

The ongoing digitization of patients' medical records is meant to facilitate the administration of care. Doctors' notes become more legible, electronic health record systems are equipped with clinical decision support alerts and individual records are instantly transferable among providers who share the same patients.

However, one consideration that cannot be overlooked with digitization of medical records is that additional security measures are required to protect patient data. The Healthcare Insurance Portability and Accountability Act of 1996 (HIPAA) was enacted, in part, to set standards for data privacy and security, but even with these rules, breaches have occurred. These breaches not only expose patients to potential loss of privacy, but also cost healthcare organizations that experience a breach significant expense. 

Penalties significantly increase
Earlier in 2014, the Ponemon Institute released its annual report on the state of data breaches in healthcare. The latest update indicated that the average cost of a single data breach is $3.5 million globally, as reported by FierceITSecurity. That represents a 15 percent increase from the previous year. During the same time period, the average cost associated with each lost or stolen record in the U.S. went from $188 to $201.

This does not take into account expenses from the inevitable fines levied against HIPAA violations. As of August 2014, the maximum penalty was $1.5 million per violation, as reported by The Privacy Advisor.

A growing number of executive level leaders in hospitals across the U.S. are becoming more cognizant of the need for more stringent security measures. Texas Health Resources CIO Ed Marx told Healthcare IT News that his organization ramped up its own regulations by requiring all employees to attend a special class at least once a year. Additionally, chief security and compliance officers have more authority than before and a security task force regularly reports to the company's audit committee.

"We have a direct line of sight from the chairman of the board, who sits on the committee, all the way down to the individual employee," Marx told the news source. "When we need support, we get it because we have this governance council for security and straight access to the board."

Protecting healthcare data extends from the healthcare providers themselves to their Business Associates who may have access to patient medical information. These Business Associates also have responsibilities under federal regulations to ensure the privacy and security of patient data.

At iSpecimen, we go well beyond HIPAA and HITECH to protect data that we receive from our healthcare partners. First, we limit the amount of protected health information (PHI) we store by de-identifying most data (with the exception of limited dates of service) before it enters the iSpecimen data center. Secondly, we have stringent HIPAA policies and procedures in place to protect PHI and all our employees are HIPAA trained and certified. Thirdly, our company and policies are regularly audited by outside agencies for adherence to our HIPAA privacy and security rules. Finally, we go through rigorous third-party software and hardware security audits – including binary code tests as well as manual penetration tests – to ensure that data under our control is not vulnerable to security threats.