Who handles security in your office?
According to many sources, medical identity theft is on the rise. 
Thus, an interesting MedCityNews article caught our eye this week, entitled:
“Cybersecurity in healthcare is now center stage. So who should be responsible?”
Typically, the first person to come to mind is whomever
heads up IT. However, I know the last time anyone I know
went to the doctor, we were still completing paper forms,
therefore, it can’t all fall on IT’s shoulders, right?!
So, if not IT, then who?
Shahid Shah, the article’s author and “an enterprise software
analyst with 15 years of experience in healthcare IT” makes
some good points.
First off: “At the end of the day, everyone has a role to play in Information Security.”
True or true, since “…it is a people and process problem more than anything else.”
So, you fill out the requisite forms, the front desk takes the documents
(the first point for a potential security breach), enters the information
into a digital format (second point for a potential security breach), and
then…where does it go? Who gets to see it next? Maybe a nurse carries
the file and accidentally leaves it out in the wrong place. Heck, some even
leave them in a file folder hanging on the outside of the door so the doctor
knows who is in the room. Some identity thief could take it right there
(or, at least, take a picture and put the folder back).
Maybe your office has gotten a bit more conscientious thanks to the HIPAA laws.
Maybe they are even more technologically advanced and they are already
reading your electronic file on some tablet like device. Ok, perhaps more
secure, assuming IT is also on the ball.
Ok, so over the last 5 years or so things may have gotten better, as the article
correctly points out, since “the Meaningful Use program that has led to rapid
adoption of EHRs.” But what of the records obtained before then?
“…you will often see PHI or other sensitive information in all kinds of places that no one knows about any longer, let alone “own” them – Network file shares, emails, a legacy application or database that is no longer used etc. The fact that HealthIT in general has been overstretched over the last five years with implementation of EHRs or other programs hasn’t helped matters either.”
“[T]he crux of the problem with security programs…is to ensure ownership, accountability and real effectiveness or efficiencies.”
This is not only true for your doctor’s offices though.
What is your insurance professional doing to ensure the security
of your protected information? What is their long term plan for
its continued security in the event they are no longer in business?
I doubt most folks have thought about this outside of our offices,
and thus I encourage you to ask your health insurance professionals
what their office’s protocols are and what is done to ensure those
protocols are being followed.
If you’d like to know what our protocols are, please ask, we’ll be
happy to share them individually.
Mr. Shah outlines 5 measures that he recommends, which are all important,
but not the end, especially for offices that still rely on paper applications.
What would you like to see happen?
Please share in the comments section below.
We look forward to continuing the dialogue with you!
