According to research published in 2016 from the Ponemon Institute, criminal attacks have increased by 125% since 2010 and now represent the leading cause of healthcare data breaches. What’s more, healthcare organizations are largely unprepared to protect patient data against an ever-changing landscape of security threats.
To adequately protect data from cybercriminals, healthcare organizations and business associates must implement robust security measures to protect patient data from an increasing number and variety of threats. Vulnerabilities in wireless networks, for instance, offer an easy entry point for hackers, yet these networks are of critical importance to healthcare organizations, making it easier to access patient information and optimize the delivery of care.
The safe handling of patient records is a priority in healthcare, especially when you consider the regulations set by the Health Insurance Portability and Accountability Act (HIPAA). Violations stemming from HIPAA can lead to civil and criminal penalties against your business. In order to avoid these issues and have a secured medical practice, take a look at some common data security measures you should be implementing:
Train Your Employees
An IBM study found that 95% of data breaches are caused by employee mistakes. These mistakes include falling victim to a phishing or ransomware attack, losing a laptop or smartphone, or sending patient information to the wrong recipient. Employees need security awareness training to help prevent mistakes that can lead to data breaches.
- Your office staff is usually the front line for patient interactions and record maintenance. Keeping an open line of communication and develop policies regarding their roles in safeguarding patient data is essential.
- Employees should understand the hazards of downloading unauthorized software and always stay away from unknown email links that can cause potential viruses to spread. Encourage your staff to speak out if they receive suspicious emails, even if they are familiar with the source.
- Also, ensure that your staff meets certain requirements such as only using company provided computers or tablets.
- Data security software training will help your staff identify risks and how to avoid them. Putting time and effort into a training procedure will help your staff understand the value of protecting patient data and securing their workplace.
Creating a Layered Defense
A common misconception is that a single line of defense is sufficient enough to protect your valuable data. However, the best approach is one where several systems are in place to stop a hacking or catastrophic event. This idea is applicable to practices of any size regardless if you have one computer or practice with several devices and users.
- The core of this concept starts with making sure that the software you use daily is up to date. Keeping your software current should apply to both desktops and mobile devices as older versions of existing software can be prone to more attacks.
- Cloud-based software makes things easier by automatically pushing out important updates and reducing the amount of IT infrastructure needed at your practice.
- Improving the sophistication of firewalls, anti-malware measures, and encryption are some additional steps to keep your practice safe.
Passwords are the key to networks, patient information, online banking, and social media. Password best practices include:
- Make the password at least 8 characters long. The longer the better. Longer passwords are harder for thieves to crack. Consider using passphrases. Include numbers, capital letters, and symbols.
- Don’t use dictionary words. If it’s in the dictionary, there is a chance someone will guess it. There’s even software that criminals use that can guess words used in dictionaries.
- Change passwords. Passwords should be changed every 60 to 90 days.
- Don’t post it in plain sight. This might seem obvious, but studies have found that a lot of people post their password on their monitor with a sticky note.
- Consider using a password manager. Programs or Web services let you create a different very strong password for each of your accounts, but you only have to remember the one password to access the program or secure site that stores your passwords for you.
- Consider using multi-factor authentication. Set up multi-factor authentication that requires a code that is displayed on your phone. This way hackers cannot access an account without having physical access to your phone.
While cybercriminals and external threats should be cause for concern, insider threats are a leading cause of HIPAA data breaches. Insider threats include employees or contractors that snoop or access patient information without authorization. Snooping on patient records may be malicious or simply done out of curiosity, but either way, this unauthorized access is considered a HIPAA data breach. To reduce the chance of insider threats, follow these steps:
- Minimize the amount of access that an employee or contractor has. These individuals should only have the minimum access needed to perform their job function.
- Periodically review the level of access for each of your employees and contractors.
- Ensure that system auditing is in place. System auditing records who accessed patient information, when it was accessed and what patient information was accessed.
- Periodically review system audit logs to look for red flags that might suggest unauthorized access by an employee or contractor. Without a review of system audit logs, you are blind to what your employees may be doing.
- Ensure that employees know that system auditing is in place and that it is periodically reviewed. This might deter an employee or contractor from malicious activity
Lost laptops, smartphones and USB drives continue to cause HIPAA data breaches. Many practices don’t realize how much patient information is on mobile devices. Patient information could be in emails, spreadsheets, documents, PDF files, and scanned images. The best way to protect sensitive patient information is to use encryption. Encryption is a “safe harbor” under the HIPAA Security Rule. This means if a mobile device is lost or stolen and the data is encrypted, then the incident would not result in a reportable breach. Patients would not need to be notified.
- Mobile device encryption. Laptops, smartphones and USB drives can all be encrypted. This will protect any data that is on these devices.
- Email Encryption. Emails could contain patient information as well as other sensitive information and should be encrypted. A secure email will protect the data that is sent.
- Secure texting. Regular SMS texting does not protect data that is sent between phones. There are secure texting applications that encrypt data that is sent via text message. If your staff are texting patients or are texting other staff members about patients, you should look into secure texting applications.
- Workstation encryption. Like laptop encryption, desktops and workstations can be encrypted to protect any data stored on them. Workstation encryption is very important in the event of a break-in and theft of workstations. Without encryption, a stolen workstation may result in a HIPAA data breach.
Disaster Recovery Plan
As previously mentioned, HIPAA regulates the safeguarding of patient records. So it’s no surprise that they also require a plan be put in place for recovering sensitive data under the HIPAA Security Rule. You must ensure that a structured approach is in place to counteract a hacking event and what it could do to your practice.
A security risk assessment (SRA) is not only required under the HIPAA Security Rule but is a critical step to understanding the risk to your practice and patient information. An SRA will inventory patient information, identify how you are currently protecting the data and make recommendations on how to lower the risk to the data. An SRA will help you to understand your risk of phishing scams and ransomware, the dangers of lost mobile devices, the risk of insider threats and how prepared you are in the event of a disaster. Finally, it provides the documentation you need as evidence that you have considered all of the possible risks to patient information and have specific plans to lower them. You can’t pass a HIPAA compliance audit or breach investigation without it.