Wall Street Journal: What’s a Company’s Biggest Security Risk? You.

On Monday, September 26, 2011, The Wall Street Journal published a full section on information security. The section included such articles as the following: the title above, “What to Do if You’ve Been Hacked,” “Health-Care Industry: Heal Thyself,” “Danger-to-Go,” “Heading Off Privacy Problems—Before They Arise,” and “You May Be Fighting the Wrong Security Battles,” among others. These articles are a good resource both for someone new to HIPAA and HITECH Act security and privacy and for old-timers who need to keep up with the rapidly evolving threats to their health information.

The “Health-Care Industry: Heal Thyself” article alone is worth the price of The Wall Street Journal. It stresses many of the same things that I stress in my seminars and writings, including the following, among others:

  • Be proactive, not reactive. Studies show that security investments made after a breach are not nearly as effective in protecting against the next breach as proactive investments.
  • Take inventory. Monitor personal health information and other sensitive data to see how it is used, where it is stored, and how it flows throughout your organization and to others. This procedure is the second step in my risk analysis model.
  • Consider access. Who in your organization needs access and under what circumstances?
  • Make the technology easy to use. In other words, the security application cannot be so complicated that it causes worse problems. For example, if an application is too difficult to use, frustrated users will move sensitive data into convenient formats, such as their personal email accounts, Excel, and Word.
  • Educate the doctors. Doctors tend to believe that they are the ultimate arbiter of what happens within their sphere of influence. Thus, traditional security education—such as reminders to periodically change passwords or accept the new security patch—may not work with doctors. The article suggests that the key is training them in security hygiene in much the same way that they are taught to wash their hands between patients.
On September 26th, 2011, posted in: HIPAA Compliance Blog by
seo by: k.c. seo