Is it Time for a Security Audit

by Carol Jackson, RN, MSN and Teresa Numbers, RN, MSN

How would you feel if someone could obtain a copy of your lab results without your consent? How about a copy of your hospital bill? How about your social security number? Hospitals are required to protect all health care information, and under the HIPAA rules, we need to be attentive to this task. Wanting to get a benchmark – and in response to some of the HIPAA security regulations – hospitals have begun conducting internal security audits. This exercise can help an organization determine just how well (or poorly) they are performing in regard to protecting patient information.

To conduct a security audit, find a trusted individual unknown to any staff, and hire them to come into the hospital and attempt to obtain hardware, data, passwords, and patient information. Provide them with a map of the hospital and a pre-determined list of places to go, with assignments to complete at each stop. This person might need to impersonate a physician, intern, or IS employee. This is not an easy task, so select carefully. Imagine how hard it is to present an air of confidence when you aren’t familiar with your surroundings, or how people are going to respond to you.

Have legal counsel review your organization’s security policies and audit procedure prior to conducting an audit. To get a more complete picture of the security status, conduct several unannounced audits, rotating departments and shifts, using weekends and weekdays. Remember to be sensitive to unit activities and conditions, and ensure that patient care it not interfered with. Here are some sample indicators that can be used as a guide as you plan your audit.

1. Can an unidentified visitor obtain employee lab coat and/or hospital ID?
2. Is data readily available on vacant PC screen, vacant printer, or waste receptacle?
   
3. Is an unidentified visitor allowed to remove hardware (example: PC equipment) without being questioned or detained?
   
4. Is a telephone caller able to obtain a user logon ID and password? For example: “My name is Sue from IS and I’m working on your department’s system configurations and I need your login and password to check it.”
   
5. Is an unidentified visitor left alone while sitting at a terminal?
   
6. Can the unidentified visitor obtain access to system? Will fast talking enable this individual to obtain a password?
   
7. Can the unidentified visitor receive logon assistance?
   
8. Can an unidentified visitor obtain access to locked area (such as Marketing, or Stock Room)?
   
9. Can an unidentified visitor receive copy of patient bill?
   
10. Can a visitor receive access to a patient medical record?
    
11. Can a visitor receive copy of lab result?

 

Unfortunately it is very easy it for someone with dishonest intentions to come into a hospital and receive assistance in violating patient confidentiality. Have you been aware of staff sharing passwords? With just that key piece of knowledge, the potential exists for someone to access unlimited amounts of confidential information. Staff education and awareness is the first action in protection.

After an audit, if possible, share the audit results directly with individual caregivers, and acknowledge those that correctly followed hospital policy. Let staff know that they can question unidentified individuals. It is okay to ask someone who is unfamiliar to them for identification. It is okay to refuse to disclose information to an unauthorized individual, no matter what their title is. By following the security policies and guidelines, a facility can still maintain their mission of being helpful and caring and at the same time protect information. Some agencies have policies stating that a breach of confidentiality could, in extreme situations, result in an employee’s immediate termination. Review policies with your staff, go over the security audits, and specifically acknowledge when your staff demonstrates security conscious behaviors.

Remember that it could be your PC that comes up missing, or your test result that is compromised.

From 2001, Informatics Nurses From Ohio Newsletter 1(3), 1:3-4.

Created 2001