Electronic Protected Health Information (ePHI) has become a prime target for cyber thieves. And that’s because it contains so much more information about an individual than regular data. That makes it worth more money on the Dark Web.
Imagine being able to buy the personal health information of wealthy business people like Jeff Bezos, Bill Gates or Oprah. Any wealthy business owner’s health info is valuable to cybercriminals because it can give unsavory individuals an edge. That’s why these new regulations were developed—to keep ePHI out of the hands of crooks.
If you run any type of healthcare organization, it’s your responsibility to ensure that you have the most robust data security protocols in place. If a cyber breach does occur, and the investigation reveals that your organization was not following best practices for securing PHI, you can be held financially responsible for the data leak.
It’s important for your healthcare organization and all your vendors to have strong IT security measures in place. These rules must be followed by everyone in order to keep patients’ confidential data secure in all formats.
ePHI Data Breaches Increasing at Alarming Rates
According to Verizon’s 2018 Data Breach Investigations Report (DBIR), the healthcare industry is experiencing tremendous increases in the number of data breaches. Almost daily, we hear of a new breach at some doctor’s office or hospital. And this is occurring all over the world; not just in America.
Ransomware has become a huge problem. In this type of breach, an employee accidentally downloads a virus that locks up all your computers. Your files and computers are taken hostage until you pay the ransom. This type of attack is now responsible for 39 percent of the breaches:
“Ransomware remains a significant threat for companies of all sizes,” said Verizon Executive Director of Security Professional Services Bryan Sartin. “It is now the most prevalent form of malware, and its use has increased significantly over recent years.”
Best Practices: 10 Steps to Secure ePHI
Your healthcare organization has a duty to meet all requirements under HIPAA for audit controls, data integrity, access controls, person or entity authentication, and secure data transmission and storage. By following these 10 security best practices, your practice can remain compliant.
1. Locate any security gaps in your IT network. You can start by asking an IT security specialist to run a security assessment on your network. They will provide you with a report that outlines any weak areas such as aging technology, programs that have not been updated and patched, etc.
2. Stay up-to-date on the current threats to healthcare data. There are new threats every day and you have to be aware of this in order to combat it.
3. Implement Remote Management and Monitoring and Data Intrusion Solutions to detect unauthorized attempts to breach your system and block them. Your IT service provider can handle this from end-to-end.
4. Utilize enterprise-based antivirus, firewalls, advanced threat protection solutions, EDR (Endpoint Detection and Response), and DMARC (Domain-Based Message Authentication, Reporting and Conformance) email-validation solutions.
5. Ask your IT provider to provide Security Awareness Training for your employees. This must be an ongoing thing because employees forget and get careless. Also, the tricks that cybercriminals use are constantly evolving. Plan regular security training for several times a year.
6. Make sure you only allow access to important information to those who need it. Your HR department should revoke all credentials of those employees who leave your organization.
7. Use audit controls to gain visibility into your ePHI and EHRs. Monitor all access and record all login attempts. Respond immediately to unauthorized attempts.
8. Adopt a HIPAA Security Policy for your organization. This is an important step. Employees must know the rules in order to keep them. HIPAA Security Rules and your own policies should be made clear and available to everyone. Your Incident Response Plan can designate a person or team responsible and describe their roles and the steps they should take if a data breach occurs. Don’t just wait till a cyber breach occurs and then try to handle it on-the-fly.
9. Perform regular ePHI inventories. Ask your IT provider to help you perform regular inventories to determine where on your systems, servers and applications ePHI is stored.
10. Identify how you use, collect store and share patient data. You must also have a secure method for deleting ePHI. Remember that if you just drag a file to your computer trash can, it still resides on the computer.
The Bottom Line
Your IT provider can implement solutions to minimize your risk with:
For assistance protecting your ePHI contact the IT specialists at Hitstech in Charlotte, NC. We’ll be happy to visit your facility and explain how to implement security best practices for your healthcare organization.
If you liked this article, we have many more to share in our Media Center.
HitsTech is focused on bringing the right information technology solutions to organizations throughout North Carolina.
We welcome you the read some of our latest blog posts and technology articles.