Computer theft recovery firm Absolute Software issued today a guide to what the company feels are the top computer security risk for healthcare institutions. The list, as was to be expected, was somewhat geared toward the services that the company offers, especially its mobile PC asset tracking and data protection solutions, but nonetheless offers a perspective on challenges faced by healthcare IT security staff today.
Highlighting the list of "top five computer security risks for healthcare," was the company's note that recent research from Research Concepts indicated that some 72 percent of those in charge of managing IT assets thought that it was the employees themselves who were ultimately responsible for the data breaches that occurred."
With HIPAA now specifying tight restrictions on patient data confidentiality and access, the company said that healthcare providers have begun to adopt encryption technologies, but the firm said that public terminals, lost laptops and overall lack of data security planning still leaves holes in the IT "armor" of many healthcare institutions and companies dealing with healthcare data. Here's what Absolute Software, which makes the Computrace product, listed as the top healthcare computer security risks:
1. Failure to Protect Sensitive Data Beyond Encryption
According to the 2003 Health Insurance Portability and Accountability Act (HIPAA) Security Rule, healthcare organizations must encrypt electronic protected health information (EPHI) stored on open networks such as laptops. However, a recent Research Concepts survey found that 72% of IT asset managers believe their own employees - those with access to encryption keys and passwords - were responsible for the most incidents of data breach in their organizations. With lost or stolen mobile computers cited as the cause of nearly 50% of data breaches, healthcare organizations must complement encryption with the ability to remotely delete EPHI from missing computers for the highest level of data protection.
2. Inability to Accurately Manage Mobile Computer Assets
In order to achieve HIPAA compliance, healthcare organizations must be able to audit how many computers they have in their inventory, where they are assigned, who is logging into them, what software is installed and where the computer is physically located. However, recent studies show that most organizations are able to locate only 60% of their mobile computer assets. Internet-based, firmware-persistent IT asset management solutions such as Computrace can provide visibility into as much as 99.7% of a computer population - regardless of computer location.
3. Sensitive Information on Public Terminals
Many healthcare facilities allow public information to be accessed on open-air terminals, such as nursing stations, public information terminals and help stations. These workstations are at great risk of data breaches and information can be easily accessed and downloaded. Unattended stationary computers should always be monitored and protected with an authentication prompt.
4. Difficulty Implementing a Comprehensive Data Security Plan
Healthcare facilities need to institute a comprehensive data security plan to secure computing assets and sensitive information. Asset tracking and recovery software should be part of a comprehensive approach, which also includes cable locks, encryption software and secure passwords. The plan needs to be reviewed and updated consistently to ensure maximum effectiveness.
5. Reluctance to Create a Data Breach Policy
Few healthcare facilities have 'nightmare scenario' policies in place should a data breach occur. In the event of a data breach, there should be a standard procedure in place for timely notification of supervisors, law enforcement, patients and the media. In a data breach situation, computer theft recovery software solutions such as Computrace have the capability to remotely delete sensitive files, track lost or stolen computers and partner with local law enforcement to recover them.
SecurityInfoWatch.com recently addressed some of these topics in our SIW Radio podcast series. See Episode 23: Mobile Device Security for IT security consultant Kevin Beaver's analysis of common problems plaguing mobile devices in the corporate setting.
