This blog is largely focused on the nuts and bolts of the health IT transition.
But one could fairly argue that the key to the success of health IT lies not in getting the right hardware in place, but in figuring out how to keep patient data secure regardless of the equipment at hand.
So it seems worth taking a moment to note the latest news on health IT security. A new report from Redspin, a tech security firm, paints a rather bleak picture. In short, in 2011 health data breaches increased 97% over the year before, occurring in all 50 states and affecting over 19 million patient records.
While the numbers are stark, one need not drill down too far into the specifics to realize that, at least when it comes to health records, much of IT security isn’t rocket science. For example, the report notes that 59% of all breaches involved a business associate, those “third-party vendors, suppliers, consultants, and contractors that covered entities entrust with their PHI to perform services on their behalf.”
What’s more, 39% of breaches occurred on a laptop or other portable device.
Neither of these problems calls for a complicated solution. Rather, it’s largely a matter of being thorough and cautious, as well as making sure all parties involved recognize what’s at stake.
As the report puts it, “many business associates are not yet prepared for the responsibility they assume simply by being in possession of Personal Health Information (PHI). The proliferation of portable devices and media within all IT environments that store PHI increase the likelihood of breach geometrically. Few healthcare employees could tell you what corporate IT security policies are in place; it is even rarer to find security awareness training programs. . . . The healthcare industry itself and individual organizations within it must become more proactive in regard to their IT security. In effect, they need to serve as their own watchdog.”
In short, the success of any provider’s transition to health IT, not to mention the overall movement itself, will rely to a significant extent on the capacity of providers and their associates to take the time to develop proper protocols, and to follow them every time they access a patient’s data.