The researchers sought to explore the premise behind the security provisions of the 2009 Health Information Technology for Economic and Clinical Health (HITECH) Act: that the threat of costly penalties for breaches will motivate healthcare organizations to use only systems and workflows that are breach-proof.
"What we found was that when organizations locked down services that are essential to that organization's workers efficiently performing their assigned duties, those same workers will often resort to alternative workflows that, in our opinion, actually increase the risk of a breach or [protected health information] loss by that same organization," said presenter Dr. Adina Haramati of Northwell Medical Center in New York City.
After considering the large number of data breaches worldwide and reviewing the technologies available for securing individual user data and enterprise systems, the researchers questioned the validity of the HITECH Act's punitive approach. To consider other options, they reviewed the European Union's recent General Data Protection Regulation (GDPR), which obligates any firm or organization collecting data about EU citizens to report a data breach to regulators within 72 hours of discovery or face fines.
From their analysis, the researchers offered a number of recommendations, including revising the HITECH Act to focus similarly on rapid reporting of a breach or suspected breach.
"The assumption needs to be that data breaches will continue to occur, even with the best intentions," Haramati told AuntMinnie.com. "Healthcare organizations have a responsibility to protect data, but the expectation cannot be that high penalties will prevent future data breaches."
What else do the researchers recommend? Attend this Tuesday afternoon talk to find out.
