The assumption that patient data is secure was already wrong back in the day when paper charts and file cabinets were used,” says Rainer Enders of NCP engineering, a provider of remote access virtual private networks. “Anyone with access (legitimate or not) to the file cabinet was able to look at patients’ files. Today, we have a plethora of patient information spread out through provider networks, insurance companies and anyone else who is working with patient health information. So, if anything, it has gotten more complex and more difficult to guarantee security.” That’s the bad news.

The good news is that “security and compliance is a journey and not a destination, not a one-time thing but an ongoing process,” says Anupam Sahai, president of eGestalt Technologies, a provider of cloud-based HIPAA/HITECH compliance tools. While violation and loss of patient data on USB sticks and hard drives receives a lot of coverage, monitoring staff who have almost unrestricted access to patient data is just as worrisome and problematic.

While “data tsunamis” have become more frequent, sophisticated and even financially damaging, there are precautions you can take, according to Kevin P. Kalinich of Aon Professional Risk Solutions. They include developing privacy procedures, train, update, and monitor these policies; and control software and hardware including laptops, PDAs and other mobile devices.

Because healthcare breaches often occur from improper handling of patient data – lost records or unencrypted files – and not as the result of a targeted attack or hack -- there are steps that can help ensure the proper handling of electronic patient data, says David Finn, health IT officer for Symantec. He calls these the “5 rights of data administration,” including the right time (patient information should be available whenever doctors, nurses and staff need it); the right route (users need to be able to access devices and block outsider access); the right person (only authorized individuals can view confidential information); the right data (prevent accidental corruption or unauthorized tampering); and the right use (only the minimum necessary information is provided.)

As cloud-based platforms change healthcare, particularly for small practice physicians who are running their own small businesses, Sahai of eGestalt Technologies advises doctors to get comfortable using cloud-based services because they are here to stay. “Most physician offices have little to no in-house IT personnel, while big cloud providers are spending enormously on security. It’s a safe bet that their services are more secure than business-based security. Don’t take their word for it though, a cloud provider ought to show its investment in security from a protection and monitoring perspective.”

Finally, whatever technology you use needs to be able to do policy changes on-the-fly. Since staff roles change all of the time; there is typically a delay in users that are no longer part of the workforce. “This can be a significant security hole if their credentials are not de-provisioned appropriately,” Enders says.