Healthcare data has become a growing target for hackers in recent years, according to cybersecurity workers.
Electronic health records, as reported, command a high price in the black market, claimed to be even more than the worth of financial data.
Unfortunately, there are several ways for health records to be compromised aside from the deliberate threats posed by malicious elements.
A lost laptop, for instance, can expose sensitive information and cause harm if they fall into the wrong hands.
Health records fall under sensitive personal information according to the Data Privacy Act of 2012. Tougher rules for processing apply to this category.
One major source of health data can be employee records. Employers have legitimate interest in the health of their employees.
This is the reason why applicants are asked to undergo medical examinations during the hiring process and why there are annual physical examinations.
However, having a legitimate interest in an employee’s health does not translate to unmitigated access to their medical records.
Neither does it authorise the disclosure of their medical condition to an entire organisation.
The exposure of one’s health status may lead to them being the subject of discrimination, extreme prejudice, and, in some cases, even identity fraud.
A plethora of ways to protect the health records of employees was given. Data minimisation is the first. It entails collecting data only when it is needed, such as when processing healthcare information is required by law.
Questions rise whether full access to an employee’s health record is acceptable, especially if they get sick or hospitalised.
It was raised that a medical certificate expressing that the person is fit to work should suffice.
Access restriction is another way to protect an employee’s health records. Restrict access to only those who have direct use for the information.
Within an organisation, it is the human resources department that is tasked to collect this information. As a primary layer of protection, only a limited number of personnel should have access to such records.
To further, only those whose jobs require or depend on such access should be allowed to do so.
If ever these records will be shared with other offices, the accessing party must have a legitimate reason to do so.
More importantly, there must be strict guidelines governing such sharing arrangements.
Physical and Technical security measures is the third recommendation. A secure storage space for physical employee medical records should be provided.
Moreover, electronic copies of these health records must be secured by putting encryption methods in place.
But more than all of those aforementioned, a regulation that prescribes the proper handling of health records still offers the most effective type of data protection.
A proper review and the subsequent approval by the National Privacy Commission on a policy like that could potentially address all the issues raised.