“… It’s really not about patient data security,” Larry Ponemon, founder of the Ponemon Institute, told InformationWeek Healthcare. “Things aren’t getting better – they’re getting worse.” Since the beginning of 2010, Ponemon Institute has seen an increase of over 36% in data security threats to healthcare organizations.
“Almost every hospital [surveyed] suffered one data breach, and 45% suffered more than five over the past two years,” Ponemon cited. As technology advances the methods of data storage and transfer, the problem is expected to rise unless something is done to confront the problem.
Increase in electronic record keeping
An increase in electronic medical billing, the transfer of paper medical records to electronic files, and an increase in the number of organizations adopting ‘Bring Your Own Device’ have led to entirely new facets of data security that are rarely explored or researched by organizations.
It becomes extremely important to develop written policies and procedures that emphasize the importance of protecting both your organization and clients’ information. Recent changes to The Health Insurance Portability and Accountability Act (HIPAA) have increased the penalties to organizations that do not have proper written policies and procedures in place. The potential fines can be astronomical if an organization does not have written policies and procedures in place to abide by HIPAA law for storage and disposal of health information. Organizations should have plans for both the handling and disposal of confidential documents (especially following HIPAA destruction of medical records) and what to do in the event of a potential breach.
Third-Party Vendors and NAID Certification
The speed of change in the data storage world creates unique challenges and problems when it comes to data handling and data destruction. Third-party vendors that specialize in data disposal and destruction have the tools and knowledge to assess threats and weaknesses and are able to properly develop a plan of action for your organization. Third-party vendors with a AAA Certification from the National Association for Information Destruction (NAID) are specially equipped to assist in the development of policies and procedures as well as the destruction and shredding of sensitive information.
The Process
The emphasis, all too often, is placed on the end result, the actual shredding and disposal of the information. What organizations need to realize is that it is just important to create policies and procedures that dictate how media travels from its useful life, to storage, to transport for destruction, and finally, destruction, as well as who can authorize termination.
This not only protects you and your organization but also your customers and clients. Your policies and procedures become valuable by mitigating data breach risks, fines, and also can become a useful sales tool to draw in and retain customers.
To find out more about developing and implementing data destruction policies and procedures, please read our DataShield compliance page.