How to engage everyone to stop security gaffes in your organization

By | October 6, 2018

Those working in the healthcare industry know that “universal precautions” refers to a set of protocols aimed at preventing infectious disease outbreaks in hospitals. And we know that they are everyone’s responsibility, from nurses to physicians to surgeons to the leadership team, every person must do his or her part to either implement or adhere to procedures that keep the hospital and its patients safe.

Why, then, when it comes to preventing data security breaches and outbreaks is it reasonable to expect the burden for an entire hospital or a multi-hospital health system to fall entirely on the shoulders of a one- or two-person data security team?

Instead, the philosophy for protecting hospitals’ sensitive data—whereby every employee becomes a data steward—can be applied internally as well, adding an extra level of assurance that their data is not being compromised.

Hospitals are increasingly operating on scarce resources and slim margins, and it’s unlikely that many hospitals will have a data security team of more than a few individuals. Often, these small data teams simply inform the rest of the hospital staff not to click on links, send documents or share identification in ways that might compromise data security, and then hope for the best. As a result, much of the work they do involves reactive efforts when a security breach occurs.

A more innovative approach is to have an open-door policy, where any hospital employee—from care providers to the leadership team—feels comfortable communicating with the data security team and feels empowered to ask questions or speak up if they notice a procedure or incident that could compromise data.

This empowerment comes from sharing concerns and best practices with all hospital employees and raising awareness. If a thousand employees give 1 percent in thought and effort to good data security practices every day, suddenly, even small hospitals have increased their security force by 1,000 percent.

Best practices for outbreak prevention
Hospitals can lower their risk for data security breaches by encouraging all staff members to adhere to certain best practices, including:

Voice your concerns. If you notice an email link that seems suspicious, if a physician asks you to email sensitive patient data, or if you see anything at all that seems odd from a data security standpoint, trust your intuition and speak up. Let your hospital employees know that the door of the data security department—even if that department is only one person—is always open.

Protect your credentials. Don’t write your passwords and credentials down, don’t share them with anyone for any reason, don’t leave them lying where other can read them, and don’t store them on your smart phone. Any behavior that enables someone else to perform an action while logged in under your name is a liability that puts you and the data at risk.

Be aware of your internet trail. Understand that the websites you visit, emails you open and links you click can have an impact far beyond your own computer or your own work. Know who emails are coming from before you take action and trust your own intuition.

Don’t move the data. Make sure you understand policies that relate to sending and receiving of patient data and other sensitive information. Often, physicians in a hurry may ask nurses or case workers to email records to a specialist, for example, to help coordinate patient care. But doing so without being mindful of HIPAA laws and other regulations can lead to legal trouble not just for the hospital, but for the individual who sent the records. Ignorance does not absolve one from culpability.

Data holds great power, and with great power comes great responsibility. With a little bit of thought, effort, and teamwork, hospitals can do the same within their own walls.

John Ceraolo

John Ceraolo

John Ceraolo is chief information security officerat Sentry Data Systems.

More Articles

Health Data Management: Feed