Keeping Digital Medical Records Secure
By now, just about everyone in the industry knows that the American Recovery and Reinvestment Act (ARRA)'s provisions include more than $20 billion in funding for technology investments by health care organizations. However, some of the deeper implications of projected HIT investments are just coming to light.
For example, Absolute Software, a provider of firmware-based computer-theft recovery, data protection and IT asset management solutions, points out that ARRA's incentives will revolutionize record-keeping, making medical records available throughout hospitals on mobile computers, tablet PCs and shared terminals.
"With this accessibility and increased efficiency," the company warns, "health care providers need to be aware of and address the vulnerabilities of such systems to data breaches and theft."
The company's Web site lists five best practices for keeping data secure in the age of ARRA:
1) Know the consequences of a data breach. According to a recent study from the Ponemon Institute, organizations that experienced a data breach in 2008 paid an average of $6.6 million to rebuild their brand image and retain their customers. The study also found that health care companies lost the most business resulting from data breaches compared to any other industry.
2) Assess your organization's situation. Health care managers should properly assess all areas of the facility where confidential data may be stored, then determine who has access to them and how they are being protected. Before an organization can begin to streamline its IT security, it must have a firm understanding of what it needs to protect.
3) Implement a comprehensive data security plan. Even with encryption in place, 56 percent of employees disable their company-issued encryption solution. Security and asset management solutions should be part of a multilayered approach in protecting organizational computers. Absolute Software noted that its Computrace product has the ability to track and recover missing laptops as well as to remotely delete sensitive files. (The software is embedded in the firmware of computers from ASUS, Dell, Fujitsu, General Dynamics Itronix, HP, Lenovo, Motion, Panasonic and Toshiba.) The company also has a product that allows IT managers to monitor and protect smart phones in a similar fashion.
4) Secure data on mobile computers. The more hospitals use mobile computers and PDAs, the higher the risk of theft and data ending up in the wrong hands. A multi-layered approach to data security and theft is necessary to protect these assets.
5) Create a data breach policy. In the event of a data breach, a standard procedure should be in place to minimize damage and provide timely notification of supervisors, law enforcement, patients and the media, as necessary.