In Health Care, Data Security is Everyone’s Business

If you have a home computer, laptop, tablet, or smart phone, you’ve probably experienced this panic-inspiring scenario at least once: your device has crashed and everything on it is gone, including contact lists, calendars, family photos, favorite tunes, and saved emails. Even if you’ve backed up diligently, you’re temporarily unable to access or retrieve the data you need right in this moment, and you’re faced with the daunting task of restoring it all as soon as possible.

It’s not a good feeling, is it? Now imagine how a health care organization might be affected by such a calamity.

Disaster recovery planning is essential

From an information technology standpoint, we can define a “disaster” as any event that makes it impossible to maintain the flow of electronic or paper data that’s necessary for critical health care operations. Data may be completely destroyed or temporarily irretrievable – but in either case it can neither be accessed nor updated when needed. The events that can lead to data disruption can be lumped into three broad categories: natural disasters (floods, earthquakes, etc.), manmade disasters (vandalism, theft, computer hacking, terrorism), and technical disasters (power outages, phone line outages, operating system failure, hardware failure).

Because data is so crucial to health care organizations, which often must continue to provide care through catastrophic events like hurricanes, it’s no surprise that there are legal and accreditation requirements for emergency preparedness, as it relates to data. For example, HIPAA is best known for its patient privacy mandates, but also requires that every health care organization have a disaster recovery plan (DRP) in place to ensure that appropriate access to electronic data can be restored after a calamity.

To be in full compliance with HIPAA, a health care facility must do a formal risk analysis of all factors that may potentially threaten data security, including physical threats as well as technical failures. The IT department must then produce a DRP with policies and procedures that cover backup, storage, and recovery from the disastrous event and that adequately addresses all the risks identified in the analysis.

Other standards also exist. JCAHO requires accredited facilities to have an emergency plan in place that details how physicians and nurses will provide alternative standards of care in emergency situations, including the event that information systems are unavailable. The Accreditation Association for Ambulatory Health Care (AAAHC) has a similar requirement.

Maintaining data security is an ongoing process

While system management, data backup, and physical safeguards are the IT department’s responsibility, there are two simple building blocks of data security that all nurses should be aware of:

  • Privacy – protecting data from unauthorized access
  • Preservation – protecting data from tampering or destruction

Nurses contribute to these aspects of data security by always adhering to procedures that govern log-in/log-out, user authentication, and changing passwords at regular intervals – even when they seem inconvenient. For instance, let’s say you’re logged in to a workstation to access your patient’s chart and are called away from the desk temporarily. If you don’t time the time to log-out, you create an opportunity for sensitive data to be accessed, viewed, or altered – possibly putting your hospital in violation of HIPAA regulations. Likewise, ignoring protocols for securing portable devices like laptops or tablets can be especially disastrous.

Nurse managers may also be called upon by IT staff to help keep data secure within their units – for example, by assisting in developing “need to know” protocols that keep users from accessing levels of data not relevant to their jobs, or by immediately reporting a system alert that indicates an attempt at unauthorized access. Interestingly enough, the FBI’s Computer Crimes Unit reports that most acts of vandalism to data are not performed by external hackers, but by disgruntled or recently terminated employees. To prevent these internal threats, prepare for the worst – when an employee leaves, work with the IT department to suspend user accounts immediately, and change any passwords that are shared by a group of people.

If you’re interested in technology and information systems, why not consider specializing in nursing informatics? The Agency for Healthcare Quality and Research reports that the industry is in need of nurses who can analyze technologies from both the bedside and IT perspectives. An online MSN degree in nursing informatics from American Sentinel University is the perfect way to improve your knowledge, skills, and value to your organization.

American Sentinel University is an innovative, accredited provider of online nursing degrees, including programs that prepare nurses for a specialty in case management, infection control, and executive leadership.