Blogs

I like to watch what is going on in relation to information management – who doesn’t right? In particular, since the healthcare industry is on the move to go digital with patient records, I like to watch and see what is happening. One of the things I watch is the U.S. Department of Health and Human Services (HHS) site and more specifically the page listing information breaches affecting more than 500 people. You see, in the same way the finance industry must notify you if they feel a breach has occurred related to your financial information, HHS mandates the healthcare industry do the same and HHS lists them. This is all done in accordance with section 13402(e)(4) of the HITECH Act.

Currently there are more than 400 incidents listed on this site. The breaches range in nature from unauthorized access to theft, not only in paper form but in digital as well. Theft of paper, laptops and even network servers are cited as being the cause listed for the breach. There are even incidents citing improper disposal of paper documents and X-Rays, unauthorized access by email and some that are unknown. (Though I am not exactly sure how they know something is missing from a computer and they do not know the type of breach.) Many of the thefts or losses cited are commonly a PC or other electronic device which is not listed but could be assumed that it might be a thumb drive or perhaps a mobile device such as a tablet or smartphone. The numbers of people impacted by this ranges from the minimum required to be posted of 500, to nearly 1 million in one of the instances cited.

In my view, this is a prime example of how organizations must move aggressively to protect information. Analysis is required from all angles not just a single perspective. Questions need to be asked like:

• Should information be stored on laptops, tablets, thumb drives, and smartphones?
• If so, what method of security or encryption will be used to protect the device?
• Are there capabilities to destroy the information through remote access, if stolen?
• Is this an opportunity to leverage thin client applications and the Cloud?
• Do we have adequate audit capabilities to monitor our environment?
• What about the human factor, have we considered that in the mix?

While I do not have all of the answers, as each of your situations is unique in some way, I do have a lot of questions and so should you. Take time to step back a look at the whole picture. Locking down a server is one thing. Protecting your information is a whole other game.

If you are ready to move forward and are finding yourself stuck or unfocused and are not sure where to begin or what to do next, seek professional assistance and/or training to get you started.

What say you? Do you have a story to tell? What are your thoughts on this topic? Do you have a topic of interest you would like discussed in this forum? Let me know.

Bob Larrivee, Director and Industry Advisor – AIIM

Email me: blarrivee@aiim.org   

Follow me on Twitter – BobLarrivee

www.aiim.org/training