What’s a healthcare administrator’s worst nightmare? The answer is most certainly a data breach. The thought of an unauthorized user getting access to patient information likely keeps them up at night, mentally reviewing each safeguard trying to determine if there are any holes in the organization’s security. And for a good reason — the average cost of a data breach in healthcare is $717,000. In this article, we are going to talk about how to protect patient health information so you can sleep easy and avoid the extreme cost of a data breach.
Let’s get started!
HIPAA and HITECH Regulations
Healthcare organizations should want to protect patient health information to help establish trust with their patients and keep them coming back. But not only that, as you probably already know, US laws require healthcare organizations to secure PHI (protected health information). This requirement comes from the US Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH).
These laws demand that covered entities have technical safeguards such as encryption, access controls, and more in place to protect all PHI. And if a healthcare facility has skimped on these security measures and experiences a breach, they could be in for a hefty fine. Understanding how to protect patient health information and comply with HIPAA and HITECH regulations is the key to keeping your organization out of trouble.
How to Protect Patient Health Information: Key Steps
Let’s walk through a few essential steps you need to be taking to protect patient health information.
1. Encrypt Data at Rest and In Transit
This first tip comes straight out of HIPPA regulations. Many organizations encrypt their data at rest, but HIPAA requires encryption in transit as well (data moving from point A to point B). This could be from an app to a server, or from your systems to a third-party partner’s systems.
When you encrypt PHI, even if a criminal intercepts it, they won’t be able to access the data without the encryption key. Just make sure you are also securely managing your keys and access controls. Only specified administrators and IT staff should be able to modify encryption status.
2. Configure User Settings Correctly
Another significant aspect of securing patient information is setting up and configuring user settings correctly. The first step to achieving this is putting together policies for privacy safeguards, security safeguards, and password management.
Only give users access to information that is necessary for them. Unfortunately, many breaches are the result of human error or possibly even internal theft. That’s why you don’t want to give every employee access to your entire system.
We recommend you write out the policy and have it approved by leaders, IT, and security teams. Then ensure that employees are following all procedures and update any pieces when necessary — don’t just throw it in a junk drawer to collect dust.
3. Vet Third-Party Security
Many healthcare organizations utilize the services of third-party partners. For example, a hospital may leverage external accounting or legal services. If you are sharing any patient information with third parties, you must ensure proper security standards. Not only for your peace of mind but also to comply with HIPAA.
Under HIPAA, third parties are called “business associates” and are responsible for protecting PHI just like any healthcare company would be. Both you and the business associate will sign a business associate agreement, which specifies each party’s responsibilities when it comes to PHI.
When working with third parties, you’ll want to ensure you utilize tips one and two appropriately. You need to encrypt any data you send, and only send the necessary info required for the third party to fulfill their duties.
4. Create a device security policy and use MDM software
So many healthcare facilities across the US leverage the freedom and convenience provided by mobile devices. Paper files are a thing of the past — many physicians and nurses work exclusively from tablets and other devices.
The rise of mobile devices is a great thing: it reduces the use of paper, keeps information up-to-date and organized, and allows providers to spend more time with patients. However, hospital administrators and IT staff now have to be aware of the additional endpoints and security concerns devices bring.
This is why any organization that utilizes devices needs to be creating security policies and managing the various devices. We always recommend having a written policy and employing the use of a mobile device management (MDM) software. MDM software will help you monitor each device and provide cybersecurity tools — such as the ability to remotely wipe data from a device that was lost or stolen. Your device policy will be an extension of your overall security policy discussed in tip two and will provide employees with requirements for passwords, multi-factor authentication, and more.
5. Keep Your Systems Updated
From your software to your operating system to your anti-virus, it all needs to be kept up-to-date across all devices. Even more than that, healthcare organizations need to worry about pacemakers, monitoring tools, and other electronic devices. Just last year, it was discovered that Medtronic pacemakers could be hacked.
With all of the various devices and forms of technology used across hospitals and healthcare facilities, keeping each piece of tech updated and secure is a vital step in securing patient health information. If you use IoT (which many organizations now do), you need to ensure that each endpoint is up-to-date so that you aren’t opening an easy entry point for criminals to get their hands on your patient information. Updates often contain security patches that close known vulnerabilities and security holes.
6. Educate Employees and Create a Security Culture
Possibly the biggest contributing factor to successfully protecting your patients’ information is educating your employees. Cyber attacks that lead to breaches often prey on human behavior, like clicking on malicious links. So, make sure you are training your employees on how to maintain security in your organization. And not just once. These trainings should be continual and consistent — think every month or quarter.
This will help create a positive culture of cybersecurity across your staff. You want each and every employee to be invested in protecting patient data. So, keep cybersecurity top of mind, motivating everyone in your organization to maintain strong security practices.
7. Implement Physical Security Controls
Up until this point, we’ve discussed digital security measures, but you can’t forget about physical security controls as well. This includes safeguards such as facility access controls. Restricting physical access to areas where PHI is stored is critical to HIPAA compliance and keeping your patients’ data safe.
You’ll also need to create policies for workstation use and security, determining which workstations can access PHI and limiting use to only authorized users. These physical security controls are as necessary as your digital security controls.
8. Perform Third-Party Risk and Security Assessments
Last but not least, when figuring out how to protect patient health information, you need to perform a third-party risk and security assessment. This is also a requirement by HIPAA. However, this assessment will help you with more than just compliance. It can reveal areas where your organization could be at risk.
A third-party has no stakes in your organization, meaning they will be able to assess your systems objectively, finding any areas that need improvement.
In the end, understanding how to protect patient health information is essential for any healthcare organization. Not only are healthcare companies required by law to protect PHI, but it’s also in their best interest. When patients trust that their data is safe in your hands, they will be more likely to continue giving you their business. So, make sure you are using these eight tips to protect your patients’ data.
If you need help securing your organization, reach out to Executech today. We can assess your systems, find improvements, and implement tools and software to layer security measures appropriately throughout your organization.
To learn more about protecting you and your business from cybersecurity threats, check out our Ultimate Guide To Cybersecurity!