FTC lawyer: Multi-layered data security essential in healthcare

May 17, 2010 — 12:36pm ET | By Neil Versel

Tools

Tags
data security
Health Insurance Portability and Accountability Act (HIPAA)
identity theft
CVS Caremark
peer-to-peer
Federal Trade Commission
User Authentication

Want to safeguard health information against the growing specter of identity theft? Try a strategy of "defensive depth," such as two-factor authentication and other multi-layered security policies, a government attorney recommends.

"Relying on one defense is problematic," Alain Sheer, a lawyer from the Federal Trade Commission's Division of Privacy and Identity Protection, said at the Safeguarding Health Information: Building Assurance Through HIPAA Security conference in Washington, D.C., last week, Health Data Management reports. For example, a weak authentication system could invite a hacker to find the decryption key and access encrypted data.

Sometimes, good, old common sense comes into play. Sheer told of how the FTC and HHS sanctioned CVS Caremark for improperly telling the public that the pharmacy chain would safeguard patient information. In reality, according to Sheer, CVS employees were disposing of paper pharmacy records--complete with patient identifiers and credit/debit card numbers--in public trash receptacles.

It's also a good idea for healthcare organizations to block peer-to-peer file sharing, Sheer said. An FTC investigation turned up sensitive personal data on more than 100 publicly accessible file-sharing sites. "We found health information, drivers' licenses, financial information and Social Security numbers, among other information," Sheer said.

For more details:
- read this Health Data Management story

Post a comment

SHARE WITH: