There is no debate that the HITECH Act and the proliferation of electronic health records (EHRs) are prompting new concerns over the privacy of patient data. As the explosion of soft data unfolds across the industry, healthcare providers -- from both a regulatory and reputation standpoint -- are struggling to comply with the information security demands that customers, policymakers and regulators are placing on them.

To that end, providers, no matter how big or small are feeling the heat. New legislation vastly expands current privacy and security protections for health information and places stringent breach notification requirements on insurers and providers alike. The new laws also demand that patients have increased control over what medical and personal data are disclosed and to whom, forcing hospitals and medical practices to manage information access control among their staff and visiting practitioners, employees, contractors, partners and potential hackers.

Even more daunting is the reality of regulator audits to ensure privacy practices are in compliance with the new laws. A failure to comply or adequately deal with a data breach can mean running afoul of regulators, potential business disruptions, long-term reputational harm or all of the above.

The Insider Threat
When it comes to protecting the privacy of patient data, professional hackers are undoubtedly a chief security concern among technology professionals; however, it should not be their only one. Healthcare companies must also focus key security resources on another potential threat: their own staff members. What many fail to realize is that most cyber-security threats against organizations involve insiders. Across the healthcare space, too many employees have access to sensitive information that they should not be privy to and the outcome can be catastrophic. Whether it's the result of human error or deliberate criminal activity, a majority of data security breaches result from the actions of one of your own.

Many data breaches are the result of internal staff members unwittingly acting as an accomplice to an internal or external threat. In many data breach cases, there is no malicious intent on the part of the employee even though they are the primary facilitator of the crime. Hackers realize that most employees lack the sophistication and understanding of computer systems and data sharing, and they leverage it to the fullest extent. As a result, they create strategies to trick employees into sharing private and sensitive information without ever knowing they are doing so.

For example, an employee in a hospital installs file sharing software on their work computer to listen to music, which the employee perceives as an innocuous activity. In reality, their actions provide an entry point for a hacker to compromise the security of the overall computer network. It is a seemingly innocent step taken by an employee who ultimately enables a cybercrime to take place.

Education Will Set You Free
The "unwitting accomplice" poses one of the greatest threats to protecting patient and organization data. There is no easy solution to this dilemma; hospitals and practices can't spend their way out of this problem and they can't flip a switch that will drop an iron curtain over the organization, shielding its assets from misuse.

Rather, healthcare organizations must deploy a layered approach that combines stringent access control with continuous education on data security for all employees. With access control, healthcare practitioners must be vigilant about establishing policies and procedures that limit, deny or allow access to information for all employees -- from temporary employees to the CEO of the company. These "rules" should provide an intuitive, auditable and enforceable framework for managing employee access to data and resources. If there is not a justifiable reason for an employee to gain access to certain data, the system should deny them access. Access control strategies must also include the ability to efficiently terminate access to former employees or consultants that are no longer working for the business.

Organizations must educate their employees about the data security and access control policies, and help them to understand how their decisions and behavior play a critical role in defending the organization from data breaches. Today we are seeing this education in the form of memos, podcasts, regular e-mail announcements and highly visible User Policy guides that outline the dangers and consequences of hospital network breaches. Further -- and this is critical -- anybody that is responsible for the management, manipulation or administration of any data that is affected by regulation or compliance, such as protected health information (PHI), needs a more sophisticated level of education than the average user. It is crucial that every employee understand what is and what is not considered PHI, and that they know to never include PHI in e-mail correspondence or download via mobile applications. Most importantly, employees need to understand the penalties for non-compliance, what constitutes misuse or mishandling "protected" data and what types of activities are in violation of various compliance issues.

When it comes to preventing data breaches, employees can be the best defense or the worst enemy. Healthcare organizations that embrace this notion will achieve better compliance and data security for their organizations. Perhaps most importantly, they will enable their companies to do what they do best: provide world-class patient care in a safe and secure environment.

Andrew Sroka is CEO of Fischer International.