Securing your healthcare organization should be a priority. Healthcare organizations are especially vulnerable to attacks because they cannot afford to be shut down.
Patient data needs to be encrypted, especially when you send it outside of your organization or across public networks within your organization. Healthcare organizations must “implement a mechanism to encrypt electronic Protected Health Information whenever deemed appropriate” (requirement §164.312(e)(2)(ii)), such as when sending unencrypted PHI in unprotected email services (e.g., Gmail, Outlook).
Organizations can send PHI via email if it’s secure and encrypted. According to HHS, “the Security Rule does not expressly prohibit the use of email for sending ePHI. However, the standards for access control, integrity and transmission security require covered entities to implement policies and procedures to restrict access to, protect the integrity of, and guard against unauthorized access to ePHI.”
Due to how interconnected emails are and the difficulty of properly securing them through encryption, we strongly recommend avoiding the transmission of PHI via email.
When possible, use patient portals to send information to patients. Covered entities should use secure file transfer protocol (SFTP)options for covered-entity-to-covered-entity or covered-entity-to-business associate communications.
As a general rule, free Internet-based webmail services (e.g., Gmail, Hotmail) are not considered secure for the transmission of PHI.
If you must use an Internet-based email service, make sure that this service signs a business associate agreement with you.
However, a BAA only goes so far, and ultimately, you are still responsible for performing due diligence when choosing which business associates you entrust with your patient data. The Omnibus Rule of 2013 states the covered entity is still responsible for ensuring the business associate does their part to protect patient data. If found in violation of HIPAA, both parties are liable to fines.
Like sending emails, using mobile devices requires additional security measures to make sure patient data is secure. Mobile devices often don’t have the same security policies as work stations and servers. Because of this, mobile devices may not be protected with technology like firewalls, encryption, or antivirus software.
In addition, when a healthcare provider uses their personal smartphone or tablet to access patient data (i.e., BYOD procedures), these devices are vulnerable due to other apps on the device. With each downloaded app, the risk grows.
Because of all the issues that come along with a Bring Your OwnDevice (BYOD) policy, you need to follow a few precautions to comply with HIPAA requirements and ensure patient data security.
The best mobile security practice is to not implement a BYOD strategy. That said, we realize this can be impractical.
Protecting and securing health information while using a mobile device is a healthcare provider’s responsibility. To address these concerns, consider using the National Institute of Standards and Technology (NIST) mobile guidelines for healthcare security engineers and providers.
Using a cloud data storage solution can help healthcare organizations achieve the goal of protecting the confidentiality, integrity, and availability of ePHI.
Whether or not an organization complies with HIPAA in their data storage depends on the actions of both the covered entity and the cloud service provider (CSP). If some or all of your data is “in the cloud,” you need to work with your CSP to ensure that a business associate agreement (BAA) is created and signed and that sufficient security controls are in place.
Apply the same HIPAA security requirements to the ePHI located in the cloud as you would to ePHI on premises.
When choosing a cloud service provider, make sure they will sign a BAA. Your cloud service provider should know that the data they store for you is protected and follows applicable HIPAA security and privacy requirements. If a vendor won’t sign a BAA, then they potentially won’t keep your ePHI secure.
In most cases, the basics of cloud security, such as server hardening, patching, and firewall configuration, are managed by the cloud service provider. Large cloud vendors (e.g., Microsoft Azure, Amazon Web Services (AWS), Google Cloud Platform) are often perceived as a safe choice because they have the resources and staff to devote to security
When choosing how to configure the security, start with security guides that your cloud service provider has created. Currently, all the major cloud security providers have guidance on meeting established cybersecurity frameworks, such as NIST and CIS.
In addition to protecting your electronic PHI (ePHI), make sure to protect physical PHI. While organizations may address many foundational security issues, they’re likely to overlook details such as:
Employees may think physical security only applies after hours. However, many data thefts occur in the middle of the day, when staff are too busy with various assignments to notice someone walking out of the office with a server, work laptop, or phone.
To help control physical threats, create a physical security policy that includes all rules and processes involved in preserving onsite business security. For example, if you keep confidential information, products, or equipment in the workplace, you should secure them in a locked area. If possible, limit outsider office access to one monitored entrance, and (if applicable) require non-employees to wear visitor badges at all times.
Don’t store sensitive information or documents in the open. For example, reception desks are often covered with information like passwords written on sticky notes, computers without privacy monitors, and patient records lying out in the open.
You also need to control employee access to sensitive areas, which must be related to an individual’s job function. To comply with this requirement, you must document:
Access documentation must be kept up to date, especially when individuals are terminated or their job role changes.
Keep an up-to-date inventory of all removable devices, including a list of authorized users, locations the device is assigned or is not allowed, and what applications are allowed to be accessed on the device.
Best practice is to not allow these devices to leave the office, but if they must, consider attaching external GPS tracking technology and installing/enabling remote wipe on all laptops, tablets, external hard drives, flash drives, and mobile devices.
In addition, make sure all workstations have an automated timeout/log out on computers and devices (e.g., a password-protected screen saver after a set amount of time). This helps discourage thieves from trying to access data from these workstations when employees aren’t there.
Network firewalls are vital for your HIPAA compliance efforts. A firewall’s purpose is to filter potentially harmful Internet and other untrusted network traffic to protect valuable PHI and other sensitive resources.
Simply installing a firewall on your organization’s network perimeter doesn’t secure your network. Proper configuration is critical for a firewall to be effective.
If your firewall isn’t configured and maintained properly, your network isn’t secure.
A combination of perimeter, internal, and personal firewalls should be used to implement a defense-in-depth firewall strategy. All these firewalls should be configured with detailed rules to only allow designated ports from specific network addresses. Broad “allow”rules that permit many different types of traffic to many devices should be avoided at all costs.
As always, default usernames and passwords of firewall devices must be changed, and administrative access must only be granted to authorized users. Keep all firewalls updated with current operating systems, firmware, and patches.
Securing your healthcare organization should be a priority. Healthcare organizations are especially vulnerable to attacks because they cannot afford to be shut down. For example, healthcare organizations are a prime target for ransomware attacks because they will most likely pay the ransom in order to keep their systems up and running.
Following each of these steps will help close gaps in your security so that you are less likely to experience a data breach.
To learn more about each of the steps in this blog, download our free HIPAA Guide.
.svg)
