Cybercriminals are actively seeking your electronic Protected Health Information (ePHI). That’s because it’s a profit-making resource for them and a valuable commodity on the Dark Web.
How can your healthcare organization ensure you have the most robust data security protocols in place? By following best practices for securing ePHI.
As technology continues to evolve, patients’ health records have been slowly moving to digital formats, and electronic health records (EHRs). Covered entities and their business associates must ensure that they have strong IT security measures in place to keep patients’ confidential data secure in all formats.
According to Verizon’s 2018 Data Breach Investigations Report (DBIR), the healthcare industry is the worst when it comes to stopping insider data breaches. And, they found that ransomware was responsible for 39 percent of the breaches:
“Ransomware remains a significant threat for companies of all sizes,” said Verizon Executive Director of Security, Bryan Sartin. “It is now the most prevalent form of malware, and its use has increased significantly over recent years.”
Only by following security best practices, staying vigilant and using the right IT defensive solutions, can you keep your ePHI secure today.
Your healthcare organization must meet requirements under HIPAA for audit controls, data integrity, access controls, personal or entity authentication, secure data transmission and storage. To comply, you should implement these 10 security best practices.
1. Stay up-to-date on the current threats to healthcare data. Your IT provider can help you do this. They are the ones who keep a pulse on data breaches that healthcare organizations like yours are experiencing.
2. Remediate any security gaps in your IT network. You may need to replace aging technology and update your hardware and software. If not, this weakens your IT security posture and endangers your ePHI. Ask your IT provider to conduct regular vulnerability assessments to detect weaknesses in your defense.
3. Maintain a secure IT infrastructure to prevent cybercriminals’ intrusions. Your IT service company can implement Remote Management and Monitoring and Data Intrusion Solutions to detect unauthorized attempts and block them. Ask them about managed security solutions that improve your security posture, quickly identify malicious attempts, and respond to cybersecurity threats.
4. Your IT provider can implement solutions to minimize your risk with:
5. Utilize enterprise-based security like antivirus, firewalls, advanced threat protection solutions, EDR (Endpoint Detection and Response), and DMARC (Domain-Based Message Authentication, Reporting and Conformance) email-validation solutions.
6. Ask your IT provider to hold Security Awareness Training for your staff to help them recognize phishing and other email and online attacks that try to trick them into revealing confidential information.
7. Use audit controls to gain visibility into your ePHI and EHRs. Monitor all access and record all login attempts. Respond immediately to unauthorized attempts. Once again, your IT specialist can set this up for you.
8. Keep records on who has access to your ePHI and EHRs, and make sure that any data access is in line with users’ duties and responsibilities. Only allow access to those who need the information and no one else. Your HR department will have a role to play in this respect to advise and notify you when new employees are brought onboard, changes are made in personnel descriptions, and when employees leave your organization.
9. Perform regular ePHI inventories. Also, identify how you use, collect, store and share patient data. You must have a secure method for deleting ePHI. Remember that if you just drag a file to your computer trash can, it still resides on the computer. Ask your IT provider to help you perform regular inventories to determine where on your systems, servers, applications, and ePHI are stored.
10. Adopt a HIPAA Security Policy for your organization. This should include all aspects of the “HIPAA Security Rule” and your policies and procedures around it. Also, include an Incident Response Plan that designates a person or team to respond, specify their roles, and the lists the steps they should take if a data breach occurs (who to notify including individuals and government agencies as required).
For assistance protecting your ePHI, contact the IT specialists HitsTech in Raleigh, NC. We’ll be happy to visit your facility and explain how we can implement security best practices for your healthcare organization.
If you liked this article, we have many more to share in our Tech Notes. Here are a few examples of what you’ll find.
HitsTech is focused on bringing the right information technology solutions to organizations throughout North Carolina.
We welcome you the read some of our latest blog posts and technology articles.