How are healthcare organizations implementing security procedures and process?
As with most IT security compliance programmes, technology only forms part of the solution in healthcare. IT security is a tripod between processes, people and technology — and not a monolith. We’ve discussed security training at the point of employee entry, but what about the on-going elements?
Processes and procedures are paramount to compliance. HIPAA states that organisations must “implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed.”
However, while healthcare organisations may have such procedures in place, they aren’t communicating these procedures to employees effectively. Just 72% of US and 53% of UK healthcare professionals say they are aware of a documented healthcare policy within their organisation.
When it comes to user authentication procedures, many organisations are at serious risk from not having a simple password policy, where users must change their login details on a regular basis. Only 71% in US and 53% in UK say their organisation enforces use of secure passwords — a worrying statistic especially after the famous Anthem hack, which occurred as a result of compromised credentials.
Another procedural requirement for any organisation operating under HIPAA or within the NHS are regular security audits. Just 34% in US and 26% in UK are aware their organisation does regular security audits. Though it is possible that these may be conducted without the employees’ knowledge, transparency with regards to auditing is recommended as it reminds employees to be vigilant, and may even deter any potentially malicious activity.
To address the people side of security, an engaging training programme helps improve security awareness and can significantly improve compliance.
Indeed, in the UK, NHS security policies specifically state that information governance training is mandatory, and all staff are required to complete annual online information governance training. HIPAA in the US provides more granular detail on what healthcare organisations need to do:
- Train employees to use and apply appropriate data protection protocols, which may include document shredding procedures, or lock or password security protocols
- Train new employees immediately when they’re hired
- Provide regular refresher sessions for existing employees
- Sanction employees who violate policies and procedures
However, many healthcare organisations are not paying enough attention to general IT security training once employees have settled into their jobs. Just 55% of healthcare companies in the US and 41% in the UK extend training to existing and established employees.
Further to this, a minority of healthcare organisations have successfully made the penalties for leaking or stealing sensitive information clear to their employees – 43% in the US and 31% in the UK.
And the UK’s Information Commissioner, for one, takes a dim view of the NHS’ approach to security training. He said in February 2015: “The NHS is one of the worst performers. This is a major cause for concern. Time and time again we see data breaches caused by poor procedures and insufficient training. It simply isn’t good enough.”
The Information Commissioner’s comments are hardly surprising since just 30% of US and 23% of UK IT professionals believe senior management take any responsibility for security — something that must change to remain compliant.