CSOonline: What would you say, for the medical community, are the top two or three things they should be doing to improve security?
Burgess: They should absolutely make sure that the digital environment that is hosting the patient data records is accessible to only those with a need to know, the concept of least privilege access. If I'm a doctor, I need to be able to access my patients' records. If I'm a nurse on a ward, I need to access my patients' records, but do I need to access all patients of that hospital? So you construct on the basis of least privilege access. Then you make sure that you're data at rest is secure and that those who have access to that environment are also on the need to know with auditability and track records, so that you're able to tell who's touched the data, why, and when.
All of that's in place today with the requirements around HIPAA. So what you need to do is have security education and awareness for your population set. A good common sense everyday practices. You don't leave a patient record where a non-medical person can reach in and lift it. You don't put data on loading docks unsecured. You make sure that you have accountability when transiting data, and you can trust the service providers in the transportation industry. All of them have means by which to transmit and transport confidential data in a more secure manner. It just means a little more expense for the validation that the box or the envelope is not lost. Know who your service providers are and know and understand the level of service that they are providing to you is equal to that which you expect in the protection of your patient data.
Read more about identity theft prevention in CSOonline's Identity Theft Prevention section.