With the rise in popularity of electronic health records, many healthcare organizations are concerned with protecting the data of their patients’ medical records.
In 2009, organizations were required to list their names on a Department of Health and Human Services website if they had exposed more than 500 persons’ medical data. A HHS spokesman said most of these losses were caused by theft of laptops or hard-copy records, but were usually preventable.
“It is important that the organization maintains all control, authority, ownership, and liability of the information that is related to PHI,” said McAfee CTO Dr. Eric Cole in Processor. ”In many contracts, the data ownership is transferred but the liability is not.”
Cole said networks should be configured to separate systems with sensitive data stored on them, and information flow should be regulated more precisely.
Limiting scope of PHI systems is another way to make implementation of data protection measures manageable, he added.
“Many organizations try to make the entire organization compliant, which is too difficult,” Cole said. “In order to reduce the scope, organizations must have visibility into all systems and know all areas that contain PHI or related information.”