Cybercriminals are actively seeking your electronic Protected Health Information (ePHI). It is a profit-making resource for them and a valuable commodity on the Dark Web.
How can your healthcare organization ensure you have the most robust data security protocols in place? By following best practices for securing PHI.
As technology continues to evolve, patients’ health records have been slowly moving to digital formats, and electronic health records (EHRs). Covered entities and their business associates must ensure that they have strong IT security measures in place to keep patients’ confidential data secure in all formats.
ePHI Data Breaches Are Increasing
According to Verizon’s 2018 Data Breach Investigations Report (DBIR), the healthcare industry is the worst when it comes to stopping insider data breaches. And, they found that ransomware was responsible for 39 percent of the breaches:
“Ransomware remains a significant threat for companies of all sizes,” said Verizon Executive Director of Security, Bryan Sartin. “It is now the most prevalent form of malware, and its use has increased significantly over recent years.”
Only by following security best practices, staying vigilant and using the right IT defensive solutions, can you keep your ePHI secure today.
10 Best Practices For Securing ePHI
Your healthcare organization must meet requirements under HIPAA for audit controls, data integrity, access controls, personal or entity authentication, and secure data transmission and storage. To comply you should implement these 10 security best practices.
1. Stay up-to-date on the current threats to healthcare data. Your IT provider can help you do this. They are the ones who keep a pulse on data breaches that healthcare organizations like yours are experiencing.
2. Remediate any security gaps in your IT network. You may need to replace aging technology and update your hardware and software. If not, this weakens your IT security posture and endangers your ePHI. Ask your IT provider to conduct regular vulnerability assessments to detect weaknesses in your defense.
3. Maintain a secure IT infrastructure to prevent cybercriminals’ intrusions. Your IT service company can implement Remote Management and Monitoring and Data Intrusion Solutions to detect unauthorized attempts and block them. Ask them about managed security solutions that improve your security posture, quickly identify malicious attempts, and respond to cybersecurity threats.
4. Your IT provider can implement solutions to minimize your risk with:
- Data encryption so your ePHI and EHRs are secure both in transit and storage.
- Multi-factor authentication where your users must use two or more forms of electronic identification to access data.
- Routinely patch and update your software programs to close any security gaps.
- And more.
5. Utilize enterprise-based antivirus, firewalls, advanced threat protection solutions, EDR (Endpoint Detection and Response), and DMARC (Domain-Based Message Authentication, Reporting and Conformance) email-validation solutions.
6. Ask your IT provider to hold Security Awareness Training for your staff to help them recognize phishing and other email and online attacks that try to trick them into revealing confidential information.
7. Use audit controls to gain visibility into your ePHI and EHRs. Monitor all access and record all login attempts. Respond immediately to unauthorized attempts. Once again, your IT specialist can set this up for you.
8. Keep records on who has access to your ePHI and EHRs, and make sure that any data access is in line with users’ duties and responsibilities. Only allow access to those who need the information and no one else. Your HR department will have a role to play in this respect to advise and notify you when new employees are brought onboard, changes are made in personnel descriptions, and when employees leave your organization.
9. Perform regular ePHI inventories. Also, identify how you use, collect, store and share patient data. You must have a secure method for deleting ePHI. Remember that if you just drag a file to your computer trash can, it still resides on the computer. Ask your IT provider to help you perform regular inventories to determine where on your systems, servers and applications ePHI is stored.
10. Adopt a HIPAA Security Policy for your organization. This should include all aspects of the “HIPAA Security Rule” and your policies and procedures around it. Also, include an Incident Response Plan that designates a person or team to respond, their roles, and the steps they should take if a data breach occurs (who to notify including individuals and government agencies as required).
For assistance protecting your ePHI, contact the IT specialists at Global Data Systems (GDS) in Pembroke, Massachusetts. We’ll be happy to visit your facility and explain how we can implement security best practices for your healthcare organization.
If you liked this article, we have many more to share in our Media Center. Here are a few examples of what you’ll find.
Building a Better Password: Why Strong Security is Critical for Your Business
The #1 Tech Tip From Your Healthcare IT Support Professionals
Steps To Avoid HIPAA Compliance Violations And Data Breaches