GHP October 2015

4 | ghp October 2015 63% of US Healthcare Organisations Failing to Adequately Identify Individual User Access to Patient Data Concurrent logins, manual logoffs, password shar- ing and the lack of unique logins are putting patient records at risk, new research has revealed. A report by security software provider IS Decisions found that despite HIPAA’s security rules on imposing restricted access to electronic patient health infor- mation, 63% healthcare staff are still able to logon to different devices and workstations concurrently, 49% are required to manually logoff, and 30% do not have unique logins. The report, ‘Healthcare: data access compliance’, highlights the several issues that have a direct effect to security of information within the health- care industry. Access to personal data can be life-dependent but there has to be a reliable access management procedure and system in place. According to the report, 82% have access to patient data, which is worrying considering 30% do not have unique logins for this access, making proper user identification impossible. A surprising 37% are restricted from concurrent access, a requirement given attribution is difficult when users can be logged in from multiple devices and locations. Derek Brink, vice president and research fellow at Aberdeen Group, said: “This guide is an excellent example of how to simplify compliance. It describes a set of basic security practices for healthcare organisations that will help safeguard sensitive patient data, and satisfy an array of compliance requirements from the Health Insurance Portability and Accountability Act (HIPAA).” The report also details security training, for both on-boarding new employees and those who have settled into their jobs. It showed that 29% of health- care professionals did not receive any security training when they were employed and only 55% of existing employees received IT security training. The figures around access, logins and password sharing as well as the IT security training shows the need to firstly, implement a good access man- agement system and secondly train staff to raise awareness and build accountability. David Childers, fellow at Open Compliance & Ethics Group (OCEG), said: “70% of data losses in healthcare are caused by human error. Both Pon- emon and Experian in their latest reports regarding data breach and protection challenged healthcare organisations to ‘step up’ their security posture. Not only did these studies cite the increase in breach event activity but noted the likely rise in legal and regulatory scrutiny that will come in 2016.” Francois Amigorena, CEO of IS Decisions comment- ed, “Unlike an office where employees have des- ignated computers and workstations, doctors and nurses are always on the go, moving from operating theatres to patient rooms and so on. Healthcare organizations need to protect the patient’s right to privacy while ensuring healthcare professionals get the necessary access to provide the best treatment for their patients. “Information of this critical and confidential nature should only be accessible by authorized users and it really should not be a complicated process. This can be easily achieved with the right combination of implementing access control policies, applying user identity verification and improving user activity auditing.” Just 37% of healthcare employees are restricted from logging on to multiple devices concurrently, while 30% do not even have a unique login ID. news