63.0°,
A Few Clouds Hospitals seek to protect patient data
Systems watched and improved to prevent security breaches
Invoices sent to 560 St. John’s Episcopal Hospital patients in July revealed their Social Security numbers in the window of the envelopes, a mistake officials said was made by a vendor.
“A patient’s wife noticed it, we contacted the vendor and it was corrected immediately,” said St. John’s CEO Richard Brown. “We have a zero tolerance policy relative to that.”
To ensure that patients were not harmed, the hospital notified the office of Civil Rights, as required by law, set up a credit monitoring system at no cost to the patients and a help line to advise them. Several patients did call and officials allayed their fears, said Francine Nigrello, the hospital’s chief compliance and privacy officer.
While that could be considered an old-fashioned information security breach, there is the very real possibility that a data breach due to a computer glitch or a system being hacked into could occur as what happened with Target last year and currently with Home Depot. Both breaches affected information related to customer debit and credit cards.
According to Brown, St. John’s is very aware of those type of breaches also and takes precautions with electronic information as well. “We have an electronic health privacy officer, send out anti-viral privacy notifications and conduct audits every three months,” he said.
“There are stiff financial penalties for privacy breaches and hospitals take every precaution to ensure privacy and compliance with the law,” Logan said. “On Long Island, I know hospitals have invested millions to ensure their data systems are secure and upgrades to these systems are ongoing, as is training.”
At Mercy Medical Center in Rockville Centre, the hospital’s data security program is under the authority of the information technology security group of Catholic Health Services (CHS) of Long Island that Mercy is associated with. “[We] have implemented a multi-layered security program designed to effectively mitigate the rick if a data breach,’ said Pat Darienzo, CHS’s chief information security officer.
Darienzo said the security program is comprised of three parts: governance, technology and education. Governance includes an extensive set of formalized policies and procedures that define the requirements for system access, appropriate use, password management and reporting incidents.
Hardware and software are used to enforce and monitor system use and uncover potentially harmful activities, Darienzo said. Along with firewalls, anti-virus software and a secure email system, encryption is used on all personal computers and laptops as well as securing file transfers and remote connections. System users undergo privacy and security focused training.
“[It] helps them understand the expectations of them as system users, reminds them of the importance of protecting the data, and prepares them to recognize situations where data could be compromised.” Darienzo said.
External companies conduct several assessments annually to test and monitor the system’s effectiveness, adherence to policies and compliance with regulatory requirements, he said. “The results of these assessments help to identify areas where controls could be strengthened, provide guidance in addressing new threats and determine where budget dollars would be most effectively spent,” Darienzo said.
Should a data security breach occur, measures would be taken to reconfigure, improve or replace what failed and the overall technical solution would be re-evaluated to help ensure the system could effectively responded to what he called “new and constantly evolving threats.”
“Credit monitoring would be provided to any individual whose information was breached,” Darienzo said. “In the event of a successful breach caused by an outside agent, such as hackers gaining access to the network, once the breach was contained, CHSLI would work closely with law enforcement to identify and prosecute the responsible parties.”
