IT security remains a key issue as companies continue to evolve their electronic healthcare systems in order to comply with the HITECH Act of 2009. In fact, if a data breach occurs and more than 500 patients are affected as a result, the provider must notify the Department of Health and Human Services and become subject to fines up to $1.5 million. Below are 10 tips to preventing a healthcare data breach.
1. Conduct a Risk Assessment
Stage One of the CMS meaningful use incentive program requires all providers to conduct a risk assessment of their IT systems. This is in accordance with the HIPAA Privacy and Security Rules that govern the transmission of all electronic patient information. The risk assessment forces providers to review security policies, identify threats and uncover vulnerabilities within the system. This is something healthcare companies should already be doing, but surprisingly many do not. With compliance and security a huge concern in today's business world, this should be a priority.
2. Provide Continued HIPAA Education to Employees
Educate and re-educate employees on current HIPAA rules and regulations. Furthermore, review and share state regulations involving the privacy of patient information. If employees are in the know and reminded of the implications of data breaches, the risk of violation can be drastically reduced. Plus, with the amount of spyware and viruses being created, there is always something new to learn.
3. Monitor Devices and Records
Remind employees to be watchful of electronic devices and/or paper records left unattended. More often than not data breaches occur due to theft of these items from a home, office or vehicle. While it is IT’s job to safeguard patient information, employees should be reminded to do their part in keeping data safe as well. Make sure to always lock your device whether it's a laptop, desktop, or phone and password protect it. You should also enable Multi-Factor Authentication whenever possible.
4. Encrypt Data & Hardware
Encryption technology is key in avoiding data breaches. While HIPAA doesn’t require data to be encrypted, it also does not consider loss of encrypted data a breach. It is certainly advised and therefore, you should encrypt patient information both at rest and in motion to avoid potential penalties. Furthermore, protect hardware such as servers, network endpoints, mobile and medical devices as these items are also vulnerable.
5. Subnet Wireless Networks
Ensure that networks made available for public use do not expose private patient information. One way of achieving this is to create sub-networks dedicated to guest activity and separate more secure networks for medical devices and applications that transmit and carry sensitive patient information.
6. Manage Identity and Access Stringently
With so many members of the healthcare system frequently accessing patient information - for a multitude of different reasons - it is important to carefully manage the identity of users. For instance, make sure users at each level are only granted access to information pertinent to their position and that log on/off procedures are easy on shared machines. Automation of this system helps create a “paper trail” and ensures efficiency and safety for all involved.
7. Develop a Strict BYOD Policy
BYOD or Bring Your Own Device policies should be airtight and follow the same security guidelines outlined above. By enabling measures such as enterprise mobility suite and security, you can ensure each device is safe.
8. Examine Service-Level Agreements Carefully
If you are considering moving patient information and data to the cloud make sure you understand the Service-Level Agreement (SLA) with your potential Cloud Service Provider (CSP). Specifically, ensure that you, not the CSP own the data and that it can be accessed reliably, securely and more importantly timely (in the event of a crash). Also, verify that the SLA complies with HIPAA and state privacy laws.
9. Hold Business Associates Accountable for IT Security Policies
It is imperative to update business associate agreements to reflect evolving federal and state privacy regulations. Healthcare organization often have hundreds or even thousands of vendors with access to patient data. In the event of a breach, the healthcare provider is ultimately responsible. Therefore, hold BAs accountable for providing security and risk assessments and develop processes for reporting breaches.
10. Establish a Good Legal Counsel
In the event of a data breach, your organization will be investigated and most likely fined by the Office for Civil Rights. Lawsuits from patients will also ensue so be sure to be prepared from a legal standpoint. Compliance is key, so don’t be advised to withhold known information about the breach.
To learn how Managed Solution can help you prevent a data breach and improve your overall IT security, contact us today.