Patient data protection: Let's get back to basics

Looking to keep your patient's data safe? You'd be wise to remember that human error often lies at the core of a breach, and build your efforts from there. Healthcare attorney Lee Kim shared that advice earlier this month at the Government Health IT Conference & Exhibition.

But her advice is not heeded by nearly enough healthcare industry leaders.

For example, a survey of IT professionals from roughly a dozen industries--including healthcare--published earlier this month by consulting and internal audit firm Protiviti determined that 22 percent of respondents still don't have a written information security policy in place, Healthcare IT Security reported.

And a report published in late April by the Ponemon Institute found that while most healthcare organizations understand the risks of a breach, nearly 40 percent still don't have a response plan in place, even though HIPAA requires one; more than 80 percent don't have tools to determine the nature and cause of a breach.

"Sometimes organizations need to experience an incident to understand first hand the impact," said Michael Bruemmer, vice president at Experian Data Brach Resolution, which commissioned the Ponemon report. "We hate to see that happen."

In the 21st century, with people constantly sharing information via social media, email and text messages, it seems ludicrous that any industry--let alone one as personal as healthcare--would not have even the most basic of security measures in place.

I'm not saying that written policies and procedures will cause data breaches to go away. In some instances, despite a plethora of protection efforts, criminals will still manage to get ahold of information.

But failure to take into account the human element of breaches can be costly. If policies aren't top-of-mind and constantly updated, they should be. Humans are forgetful creatures. There's a reason so many health-related text messaging programs focus on helping patients to remember various daily activities.

"Secure the human," said Kim, who also serves as chair of the mHIMSS Legal and Policy Taskforce. "Breaches often are the result of things that we as humans do. You should guard your information systems as if you were going home and locking your own door."

Kim's right. While basic protection efforts might not be good enough to maintain security, they certainly can't hurt, either. - Dan @FierceHealthIT