Recently the American Hospital Association (AHA) and the College of Healthcare Information Management Executives (CHIME) released the results of its HealthCare’s Most Wired™ Survey, which illustrated that data security is among the most important concerns for hospitals.

With that in mind, Shae Walker, Director of Compliance for MDabstract, joins us to answer a few pressing data security questions.

MDabstract: So data security is a major concern for hospitals right now. What are the type of pitfalls they really must be aware of?

Shae: One of the biggest and most important is how to properly secure mobile devices such as laptops, cell phones and flash drives that may contain protected health information “PHII” or sensitive patient data.  The mobile devices that contain this information are transported to numerous highly populated areas outside of our work place as we go about our normal daily routines. If not secured properly PHI could be breached very quickly.

MDabstract: You talk about the PHI that gets taken out of a hospital’s walls on these devices. What safe guards can hospitals have to avoid a breach?

Shae: Hospitals need to fully embrace and empower their organization’s IT department. With proper collaboration a hospital can ensure that all  mobile devices have encryption, that they require strong passwords that must be changed at least every 90 days and that they are equipped with software that will allow the devices to be wiped remotely of all data in the event that they are lost, stolen, sold, or if a person is no longer employed with the organization.

MDabstract: Recently St. Elizabeth’s Medical Center in Massachusetts was fined by the OCR $218,400 for a data breach, one of which resulted in a former employees laptop and flash drive being compromised. What advice can you offer to other healthcare organization to help them avoid a similar situation?

Shae: Develop a written privacy and security policy and procedures that outlines the HIPAA and HITECH requirements, as well as the organization’s notification rules to report a potential breach.  You should also provide educational tools and reminders for anyone that has access to PHI or sensitive information regarding the proper safeguards to use and notification requirements for a suspected breach that have been implemented within your organization. Be sure to provide and post the contact information for your Privacy Official. Also, work with IT to develop a check list of action items to deploy when employment is discontinued such as disabling passwords, retrieving company issued devices while checking for any signs of compromise and launching software to wipe all mobile devices of PHI or sensitive information.

MDabstract: Thank you Shae. One last question. Will you please share a little about MDabstract’s own security policy.

Shae: We have really worked to put a comprehensive plan in place that not only educates everyone on our security policy but that also constantly monitors compliance. MDabstract strives to ensure that our team is constantly aware of the importance of patient privacy and security by performing the following for all team members including management:  conduct annual HIPAA review sessions, provide monthly compliance updates regarding privacy safeguards, provide compliance terminology resources, HHS organizational responsibility review, conduct a compliance analysis that each team member completes after accepting work for each new account (providing additional compliance and privacy coaching when necessary) and quarterly compliance quizzes.