By Julie Kirst, Chief EditorJulieKirst 211

In December 2012, the Healthcare Information and Management Systems Society (HIMSS) published its fifth security survey that aggregates the opinions of IT and security professionals regarding the tools and policies they use to secure electronic patient data. These professionals include those who have the responsibility of day-to-day security or are part of a team, as well as other IT members who hold various security responsibilities.

In this recent survey, more than 90% of respondents working for a hospital-based organization reported conducting a risk analysis, up from 75% of respondents in the 2008 survey. In addition, respondents in the current survey said they were more likely to conduct their risk analyses with increasing frequency. This escalation in attention to security represents benefits to hospitals and consumers alike.

According to the HIMSS report, the number of organizations reporting a case of medical identity theft in the past 5 years has decreased, from 20% in 2008 to 11% in 2012. Hospitals (18%) were more likely to report an instance of medical identity theft than were physician practices (6%).

This year, 25% of respondents reported that their organization sustained a security breach in the past year, and most of these breaches involved less than 500 patients. Nearly all of the respondents reported that patients were notified of the breach. Note that this says “nearly,” possibly meaning many patients do not even know they were compromised. HIMSS also notes that to date, 21 million US patients’ health records have been exposed to data breaches.

The comprehensive survey focuses on important electronic data protection, such as access to patient data, access tracking and audit logs, use of security in a networked environment, and medical identity theft. It also covers budgets, response plans to a breach, and technologies used to protect laptops, e-mail, servers, backup tapes, etc.

One “machine” not covered here, and one I do not hear discussed overall that is equally important in protecting patient data, is a copy machine. According to a CBS news report in 2010, almost all digital copy machines built after 2002 contain a hard drive, which makes them very much like a computer. The hard drive in a digital copier stores data from documents it copies, prints, scans, faxes, or e-mails.
How often have you arrived at a hospital or physician’s office appointment to have your medical ID copied? Social security numbers may not be on these items, but enough personal information is connected to them.

In discussing plans to institute safeguards to protect social security numbers and health information, the Bureau of Consumer Protection notes that according to the Federal Trade Commission (the US consumer protection agency), information security plans also should cover the digital copiers a company uses. If companies—including hospitals—do not take steps to protect that data, it can be stolen from the hard drive, either by remote access or by extracting the data once the drive has been removed.
How does your hospital handle this? Is a copy machine part of your overall data security plan? Given the frequency of use for copying health information as well as scanning and e-mailing results to other physicians, copy machines can easily become outlets for HIPAA violations. Send me an e-mail and let me know how your organization handles this, and what steps it takes to secure this important information. 24×7 Julie Kirst is the chief editor of 24×7. Contact her via e-mail. February 2013 issue