Any organization that is in the business of working with patient health related information should make information security one of their highest priorities. Important regulations such as HITECH (passed by Congress in 2009 which implemented stricter penalties for HIPAA violations), the HIPAA Security Rule (addresses the protection of patient information in electronic format), and the HIPAA Omnibus Rule (recently passed in January 2013 which expanded the definition of ‘Business Associates’) should be carefully reviewed to ensure that your organization is fully compliant in handling patient health related information.
What are some good practices for protecting patient health related information?
Encrypt data in transit and at rest:
Technology makes it easy for us to transfer (and store) patient information. To ensure secure electronic data management information, always use encrypted protocols such as sFTP or SSL. To ensure information is secure when at rest on a server or disk, always use encryption on the file or the media. If your employees travel frequently, they should make sure their laptop, tablet, mobile devices are encrypted.
Encrypt email communication:
Health care and clinical research organizations should follow the financial industry practice and secure email communication with encryption. This requires your recipient to use credentials to unencrypt the email message and ensures that only the right party can have access to the appropriate information.
Stay up-to-date on software and OS patches:
Cyber threats and virus are constantly changing signature. In order to catch the latest threats, your servers must be up-to-date with the latest OS and software patch. Even if your servers are not configured for real-time updates, you should ensure routine scans and updates are put in place.
You should also implement network-based security software (firewall, gateway antivirus, intrusion detection) and endpoint security solutions (antivirus, personal firewall, intrusion detection)
Implement multi-factor authentication
For the application access, it may not be enough to have a single login/password authentication. Consider implementing multi-factor authentication such as pin or passcode verification that comes thru as text or email.
Limit BYOD (bring your own device) usage:
Technology allows us to easily transfer and store information everywhere, as storage devices are now used everywhere. Organizations should have procedures in place to manage (or prevent) use of smart phones and USB flash devices. If information is stored on a cloud service account, make sure the service has adequate security procedure in place.
Implement security related SOPs:
Be sure the organization’s corporate SOP’s cover information protection of patient health records. Detailed Work Instructions should be written and distributed on how a department or group should handle transfer and storage of patient health records.
Security awareness training/culture:
Be sure your employees have a mindset focused on security and information protection. Treat your patient health related records the same as other assets (money, company secrets etc…) and develop an organizational culture around information protection.
Be aware of social engineering threats:
Along with training as mentioned above, be aware that many security breaches are actually caused by innocent human mistakes such as giving a password to someone over the phone, or clicking on an email that contains a Trojan horse virus or leaving your laptop unlocked while you are away from the desk. Successful information protection requires both technology safeguards as well as human safeguards.