Data Protection: Protecting Your Patients and Staying HIPAA Compliant

data leaks from dangling flash driveData leakage! It's a problem that everyone will have to face at some point. New HIPAA rules and regulations are doing what they can to address potential shortfalls, because data leakage of patient information is a serious violation. Thankfully, the government intends to continue to increase penalties and prosecution for patient data leaks. We Comply’s annual study showcasing the current state of threats to patient data and security found that while data breaches decreased slightly from last year, 90% of respondents still reportedly had suffered at least one data breach in the last two years.

In an effort to be aware and prepared, we are sharing with you advice from top health security practitioners. Is your organization prepared? Are you in compliance with all government regulations? Find out what the professionals do (and do not do) to protect against patient data leakage.

Cloud Storage and Bring Your Own Device (BYOD)

With cloud storage rising, and people bringing their own devices to work (tablets, cell-phones, laptops, etc.) to access a network, it is no wonder that security breach is a topic. The use of Cloud services continues to rise despite the security dangers with over 40% of respondents using cloud storage on a regular basis up from 32% in the previous year. As far as BYOD, 88% of health of organizations allow employees and medical staff to use their own mobile devices to connect to the organization’s network.

Sadik Al-Abdulla, Director of Security Solutions, CDW, shares this advice on the topic of personal devices:

Sadik Al-AbdullaThe most common risk is the loss or theft of employee-owned devices at organizations allowing bring-your-own-device policies. The risk of lost devices is most effectively mitigated by a flexible and easy-to-use encryption system, as well as reinforcing the criticality of reporting incidents. Lost devices that are encrypted and remotely wiped within hours of the incident have a lower risk of data comprise. If an employee loses a device that isn’t encrypted, then there is a greater risk of data compromise with each passing day.

When it comes to the Cloud, Al-Abdulla responds,

The most important thing about cloud storage is to work within the rules of the healthcare organization.” Pay attention to what is enabled by your IT Department and labeled as secure. He also states, “security is an ongoing process, and one that healthcare organizations must embrace.

Working with Different Security Firms and Educating Employees

Erik Westerlind is a senior research director for KLAS, a research firm dedicated to helping healthcare providers make informed decisions by measuring the performance of technology vendors. He is also the author of several recent reports regarding cloud computing and HIPAA security. Westerlind offers these insights:

Erik WesterlindMany organizations work with several different security firms because they feel it is very productive to have companies with varying backgrounds evaluate their security. The hope is that each company will find something that the other didn’t consider. 

Westerlind is also an advocate of proper training. When it comes to employees, he has this to say:

The goal is to educate the employee about HIPAA regulations and the dos and don’ts in an effort to ensure compliance. This, as you know has to be an ongoing effort and is not foolproof as we saw with the Facebook issue recently. Another step providers take is to configure appropriate access roles for ePHI, with the intent of limiting inappropriate access.

Are You HIPAA Secure?

John Lynn is the editor and founder of the nationally renowned blog network The Healthcare Scene network currently consists of 15 blogs containing over 7000 articles. Lynn offers these tips to help make sure that your health IT security and privacy policies are in place:

John Lynn1. Encrypt all of your computers that store PHI (Protected Health Information) – If your hard drive is lost or stolen and it's not encrypted, you'll pay the price big time. However, if it's encrypted you won't have to worry nearly as much.

2. Avoid Sending SMS Messages with PHI – SMS is not HIPAA secure and there are plenty of high quality secure, HIPAA compliant text message options out there. Find one you like and use it. While being secure it also has other features like the ability to see if the recipient has read the message or not.

3. Do a HIPAA Risk Assessment – Not only is this required by HIPAA and meaningful use, it's a good thing to do for your patients. Don't fake your way through the assessment. Really dig into the privacy and security risks of your organization and make reasonable choices to make sure that you're protecting your health data.

Putting the Pieces Together

Each of these experts has put in the work when it comes to protecting data, their valuable advice shouldn't be taken for granted. The patience in Washington for poor health IT data security is begining to wear thin and it's likely many organizations may soon be facing large fines. Think about your organization. Are there steps you can take to further protect your patients? If you have any questions about your compliance, contact us today!