Concurrent logins, manual logoffs, password sharing and the lack of unique logins are putting patient records at risk, new research from IS Decisions has revealed. Despite HIPAA’s security rules on imposing restricted access to electronic patient health information, 63% healthcare staff are still able to logon to different devices and workstations concurrently, 49% are required to manually logoff, and 30% do not have unique logins.
Access to personal data can be life-dependent but there has to be a reliable access management procedure and system in place. According to the report, 82% have access to patient data, which is worrying considering 30% do not have unique logins for this access, making proper user identification impossible.
A surprising 37% are restricted from concurrent access, a requirement given attribution is difficult when users can be logged in from multiple devices and locations.
Derek Brink, vice president and research fellow at Aberdeen Group, said: “This guide is an excellent example of how to simplify compliance. It describes a set of basic security practices for healthcare organisations that will help safeguard sensitive patient data, and satisfy an array of compliance requirements from the Health Insurance Portability and Accountability Act (HIPAA).”
The report also details security training, for both on-boarding new employees and those who have settled into their jobs. It showed that 29% of healthcare professionals did not receive any security training when they were employed and only 55% of existing employees received IT security training.
The figures around access, logins and password sharing as well as the IT security training shows the need to firstly, implement a good access management system and secondly train staff to raise awareness and build accountability.
David Childers, fellow at Open Compliance & Ethics Group (OCEG), said: “70% of data losses in healthcare are caused by human error. Both Ponemon and Experian in their latest reports regarding data breach and protection challenged healthcare organisations to ‘step up’ their security posture. Not only did these studies cite the increase in breach event activity but noted the likely rise in legal and regulatory scrutiny that will come in 2016.”
Francois Amigorena, CEO of IS Decisions commented, “Unlike an office where employees have designated computers and workstations, doctors and nurses are always on the go, moving from operating theatres to patient rooms and so on. Healthcare organizations need to protect the patient’s right to privacy while ensuring healthcare professionals get the necessary access to provide the best treatment for their patients.
“Information of this critical and confidential nature should only be accessible by authorized users and it really should not be a complicated process. This can be easily achieved with the right combination of implementing access control policies, applying user identity verification and improving user activity auditing.”