返回列表 发表时间:2021-09-11    浏览次数:713

医疗保健数据安全威胁风险的背景调查类型

16 多年前,《健康保险流通与责任法案》(HIPAA) 颁布了保护医疗数据隐私和安全的条款,此后还通过了其他法规和指导方针。

因此,最近一份关于医疗保健行业的2012 年 Kroll 咨询解决方案报告认为,提高数据安全合规性标准并不一定会提高受保护信息的安全性,这可能会让人感到意外

在 Kroll 报告中,79% 的调查受访者表示安全漏洞是由员工实施的,18% 的受访者在过去 12 个月内遇到过安全漏洞,将第三方列为根本原因。

医疗保健信息和管理系统协会 (HIMSS) 隐私和安全高级主管 Lisa Gallagher 在报告的新闻稿中表示,“医疗保健组织需要确保其业务伙伴采取一切预防措施来保护这些信息。我们知道,大多数安全漏洞通常是员工采取行动的结果,因此背景调查、员工培训以及对政策和程序的持续监控是所有涵盖实体应确保其业务伙伴采取的步骤。”

组织应考虑对员工和临时工(例如,供应商、承包商、顾问、临时工和志愿者)进行哪些类型的背景调查,以降低个人有意或无意实施数据泄露的风险?

以下是您可能需要考虑添加到当前筛查计划中的五项背景调查:

  1. 身份验证
    验证个人身份是背景筛查计划的重要组成部分。个人可能会提供无效的社会安全号码或政府身份证来隐藏犯罪记录、不良信用甚至非法移民身份。


    您可以通过执行 SSN 验证来检查一个人在美国的社会安全号码 (SSN)。SSN 验证有助于使用社会保障管理局 (SSA) 提供的信息和号码分配方法来识别无效的 SSN。SSN 验证可以对 2011 年 6 月 25 日之前签发的任何 SSN 进行,并确定签发年份和状态,并检查 SSA 死亡指数以帮助检测异常情况。

    如果此人居住在美国境外,您可以通过对照与该号码相关联的姓名检查申请人提供的政府颁发的身份证号码来确定其是否与该个人的姓名匹配,从而验证申请人的身份信息。


  2. 犯罪历史检查
    您要做的最后一件事是雇用可能故意实施数据泄露的人员。犯罪历史检查审查可能阻止他们在某些医疗保健职位工作的个人潜在的负面犯罪历史。


    此检查在美国执行联邦或州法院(如适用)的搜索,这些法院通常包含轻罪和重罪,以识别与申请人有关的记录。


  3. 医疗保健制裁检查和监控
    当患者信息落入受到医疗制裁的第三方工作人员手中时,医疗保健公司可能面临严重且代价高昂的后果。组织应确认个人是否被制裁或排除在参与联邦和州医疗保健计划之外,或者组织可能会失去参与这些计划的能力并面临罚款和其他处罚。


    最佳做法是在欺诈和滥用控制信息系统 (FACIS®)(一个包含制裁、排除、禁止和纪律处分的当前和历史数据库)中进行医疗制裁检查,以获取有关个人的信息。而且,在某些州需要持续进行医疗保健制裁检查,而在其他州则是最佳实践。


  4. 成人虐待登记检查
    老年人和残疾成人被视为弱势群体,这使他们容易受到身体和语言虐待、忽视和剥削。雇用有虐待成人史的员工可能会危及患者。


    一些州设有成人虐待登记处,在雇用个人之前,医疗保健组织可以搜索该州的成人虐待登记处,以确定护理人员是否因虐待、忽视、剥削或盗用弱势成年人而被列入登记处。医疗保健雇主未能在需要时搜索成人虐待登记处可能会导致民事或刑事指控。

    成人虐待登记处检查适用的州登记处,以查找由州成人保护服务机构确定实施成人虐待的申请人的任何记录。


  5. 延长工人背景调查
    临时工或延长工人 包括第三方供应商、承包商、顾问、临时工,甚至志愿者。当个人与员工拥有相同的患者和患者数据访问权限时,医疗保健组织将其背景筛查计划扩展到其扩展劳动力才有意义。


    尽管依赖第三方供应商对其员工背景筛查的说法看起来更简单且成本更低,但背景信息可能不是最新的,筛查包可能不像医疗保健组织使用的那样彻底。

    如果您确实依赖供应商,请相信但要验证检查是否已执行。在 Kroll 报告中,不到一半的受访者 (44%) 不需要供应商提供员工背景调查的证明——这可能会造成安全漏洞。


  6. So, it may come as a surprise that a recent 2012 Kroll Advisory Solutions Report on the health care industry shared that increased compliance standards regarding data security hasn’t necessarily increased the safekeeping of protected information.

  7. In the Kroll Report, 79 percent of survey respondents reported that a security breach was perpetrated by an employee and 18 percent of respondents that experienced a breach in the past 12 months cited third-parties as the root cause.

  8. Lisa Gallagher, senior director of privacy and security for the Healthcare Information and Management Systems Society (HIMSS) stated in the press release on the Report that “Healthcare organizations need to ensure that their business associates are taking every precaution to safeguard this information. We know that most security breaches often are the result of actions taken by employees, so background checks, employee training and continued monitoring of policies and procedures are steps all covered entities should ensure are taken by their business associates.”

  9. What types of background checks should organizations consider performing on employees and contingent workers (e.g., vendors, contractors, consultants, temporary workers, and volunteers) to mitigate the risk of an individual either intentionally or unintentionally perpetrating a data breach?

  10. Here are five background checks that you might want to consider adding to your current screening program:

  11. Identity Verification
    Validating the identity of an individual is an important component of a background screening program. An individual may provide an invalid social security number or government identification card to hide a criminal history, bad credit, or even illegal immigration status.


    You can check a person’s Social Security Number (SSN) in the United States by performing SSN Validation. SSN Validation helps to identify an invalid SSN using an information and number assignment methodology from the Social Security Administration (SSA). SSN Validation can be done on any SSN issued before June 25, 2011, and identifies the year and state of issuance and checks the SSA Death Index to help detect anomalies.

    If the individual lives outside the United States, you may be able to authenticate an applicant’s identity information by checking the government issued identification number provided by the applicant against the name associated with that number to determine if it matches the individual’s name.


  12. Criminal History Check
    The last thing you want to do is to hire someone who would be likely to intentionally commit a data breach. A criminal history check reviews potential negative criminal history on individuals that may prevent them from working in certain health care positions.


    This check performs a search of federal or state courts, as applicable, in the U.S. that typically contain misdemeanor and felony offenses to identify records relating to an applicant.


  13. Health Care Sanction Check and Monitoring
    When patient information falls into the hands of a third-party worker with medical sanctions, a health care company may face serious and expensive consequences. Organizations should confirm if an individual has been sanctioned or excluded from participating in federal and state health care programs or the organization may lose the ability to participate in those programs and face fines and other penalties.


    A best practice is a health care sanction check searches the Fraud and Abuse Control Information System (FACIS®), a current and historical database of sanctions, exclusions, debarments and disciplinary actions, for information about an individual. And, performing a health care sanction check on an ongoing basis is required in certain states and a best practice in others.


  14. Adult Abuse Registry Check
    Seniors and adults with disabilities are considered vulnerable populations, which makes them susceptible to physical and verbal abuse, neglect, and exploitation. Hiring an employee with a history of committing adult abuse may endanger patients.


    Some states maintain an adult abuse registry, and prior to hiring an individual, health care organizations can search the state’s adult abuse registry to determine if a caregiver has been placed on a registry for abuse, neglect, exploitation, or misappropriation of a vulnerable adult.Failure by a health care employer to search an adult abuse registry when required may result in civil or criminal charges.

    An adult abuse registry check screens applicable state registries for any records of an applicant who has been identified by state adult protective services to have committed adult abuse.


  15. Extended Worker Background Check
    Contingent or extended workers include third-party vendors, contractors, consultants, temporary workers, and even volunteers. When an individual has the same access to patients and patient data as employees, it only makes sense for a health care organization to extend its background screening programto its extended workforce.


    Even though it can seem simpler and less costly to rely on a third-party vendor’s word about its own employee background screens, the background information may not be current and the screening package may not be as thorough as the ones that health care organizations use.

    If you do rely on the vendor, trust but verify that the checks were performed. In the Kroll Report less than half of respondents (44%) don’t require proof of employee background checks from their vendors – which could pose a security gap.


  16. 电子屏-05.png