Hospital IT departments need to increase the professionalism of staff assigned to data security, said Ali Pabrai, a Newport Beach, Calif., health IT consultant, in an article published in a patient privacy newsletter from AIS Health. (Full disclosure: FierceHealthcare has a business relationship with AIS.)
"Many organizations lack the concept of a true information security team with the skill sets that you'd expect a security team to have," Pabrai said, addressing CIOs. "So take a deeper look at the skills, the knowledge [of] your information security officer, across the security professionals that may be within the IT department. It's very important to make sure you've got the appropriate skill sets applied to the security controls you've acquired within your enterprise."
Pabrai urged CIOs to address the security of personal identification information, as well as personal health information. He also stressed the importance of audit log consolidation to make sure that hospitals know when data has been lost, stolen, or compromised.
"Is someone really looking at those log files being generated by the system applications to make a determination that there may have been any unauthorized access?" he asked. "Those are questions that we need to ask ... to take a look at what is the state of our information security within the organization."
Pabrai also hit familiar bases, such as the need for stronger encryption and authentication. Every action that affects a database, he said, should be traceable back to an identifiable individual.
Because of the rise in news reports about security breaches, Pabrai noted, privacy officials in healthcare organizations have an unparalleled opportunity to get the attention of their chief executives and board members. They should seize this opportunity, he said, to "execute and fund a robust information security plan."
"A breach is not just a compliance issue," he concluded. "It's a significant risk to the organization, and if an organization suffers a breach, chances are it will impact the organization in seven figures."
To learn more:
- read the AIS summary of Pabrai's report (registration required)
- visit the Privacy Rights Clearinghouse website