Health plan privacy and security officers interviewed by HPW say that while no information-protection system is totally foolproof, there are certain key steps plans can take to reduce significantly the risk of data being lost, stolen or inappropriately viewed. And they agree that in most cases, the problem is internal mistakes and carelessness rather than threats from hackers.
"Typically the weak link is not some exotic hacker," Craig Shumard, CIGNA Corp.'s chief information security officer, tells HPW. "In many cases, it's an employee or third-party outsourcer who just didn't consider the security implications of what they were doing."
Among the weak links cited by privacy and security officers:
- Overlooking the importance of a culture that values information protection;
- Sending PHI or other sensitive data by unsecured channels;
- Using laptops with unencrypted hard drives; and
- Not monitoring an outside vendor's privacy and security procedures.
These weak links can be addressed by the right blend of administrative practices and technology safeguards. "The most important step you can take is arming your employees with the technology and the knowledge they need to protect this information," says Mike Elinski, associate vice president for technology and e-business development at Michigan-based Health Alliance Plan. "Doing this puts you and your customers in the best possible position."
Common sense also helps.