Many organizations likely realize it’s important to secure their patient data, but how many are actually doing it? We surveyed 42 healthcare professionals responsible for HIPAA compliance and discovered a few interesting things:
Let’s take a closer look at some of these stats.
See also: How Healthcare Security Complacency is Killing Your Organization
HIPAA requires all electronic PHI that is stored or transmitted in systems and work devices must be encrypted. This includes mobile phones, laptops, desktops, emails, EMRs, etc. Encrypting PHI essentially makes it useless to any potential hackers that manage to steal data. It’s an extra security layer that can’t be avoided.
According to our survey, 50% of respondents encrypt data, 12% don’t, and 38% don’t know.
That’s a little concerning, especially since encryption is a good way to secure your data.
See also: Medical Data Encryption: Keeping Your PHI Secure
Organizations that use remote access must implement two-factor authentication when logging into the data base. Two-factor authentication consists of needing to use two of the following items as credentials:
Our survey shows only 37% of respondents use two-factor authentication, and 50% don’t know if they do.
Remember, the number one vulnerability attackers exploit in organizations is remote access. If you use it, make sure you’re using it securely.
See also: Two Factor Authentication—Security Beyond Passwords
All employees should have their own login IDs and passwords for computer, software, and physical access. This prevents hackers and social engineers from gaining access to sensitive data through easy means.
The organizations we interviewed are doing fairly well with this requirement as only 7% share credentials. This is promising since it has been a problem in the past.
Need help with getting HIPAA compliant? Let’s see what you need to do.
All workstations should have an automated timeout/logout on computers and devices (e.g., a password-protected screensaver pops up on a computer after a set amount of time). This helps discourage social engineers from trying to access data from these workstations when employees aren’t there.
Similarly, our surveyed healthcare professionals are doing really well with this requirement with 90% having these timeouts/logouts enabled, and only 7% not having them.
See also: Healthcare Reception Desks: Breeding Ground for HIPAA Compromise
While organizations seem to be doing better in some elements of HIPAA, there’s still room for improvement. Remote access security and data encryption still remain big problems, ones that many of our interviewed healthcare professionals either aren’t addressing, or have employees unaware of them. Both are equally disturbing outcomes.
When it comes to HIPAA, you need to make sure your organization is compliant with all security requirements. If you don’t, you leave your organization vulnerable to attackers. Keep your data safe!
Check out our data visualization on HIPAA data security: How is Healthcare Doing with Patient Data Security?
.svg)
