Five Tips to Help Secure ePHI
When they surveyed thousands of healthcare consumers in 2017, researchers at the consulting firm Accenture found that more than 1 in 4 have had their personal medical information stolen in a healthcare data breach. Personal medical information remains one of the most sought-after types of data for cyber criminals to steal. And while this should concern all consumers of healthcare services, it should also create a priority level of urgency for any healthcare provider that has not yet implemented the strongest measures possible to secure its patients' data.
For healthcare organizations, after all, the stakes of a data breach can be enormous: steep fines and penalties from HIPAA regulators at the federal and state level, the potential for costly lawsuits, and the public outcry and publicity that damages the company's reputation and public trust.
MedPage Today offers some suggestions for securing your company's most sensitive (and highly regulated) healthcare communications.
1. Develop a set of rules and policies for how your staff can handle patient data
Create a set of policies and procedures regarding how your employees must handle electronic protected health information (ePHI) in any environment, on any device.
Document this corporate governance policy, distribute it across your company, and then conduct mandatory training for all of your staff.
This set of policies will help minimize your company's risk of data breaches, and it can also serve as helpful documentation demonstrating your organization's eagerness to comply with HIPAA and other privacy laws -- which could come in handy if regulators ever come knocking.
2. Train your employees to be alert for hackers' most common scams
According to data compiled by the HIPAA Journal, email scams represented the second-highest location for crooks stealing healthcare data in the first quarter of 2018. (The top method, in case you're wondering, was stealing physical records.)
Train your employees to be smart about dealing with emails, websites, suspicious links, and file downloads. A good example: do not download attachments in emails from people or businesses they don't recognize. Do not click on short-links and be careful of links that have too many subdomains as these could contain malicious code or ransomware.
3. Limit your staff to a list of secure apps for messaging and collaboration
Although some healthcare organizations are still uncomfortable about allowing their data or communications into the cloud, the truth is there are many businesses today offering highly secure, HIPAA-compliant apps for storing, sending, and receiving sensitive and regulated data.
In fact, in many ways today the cloud is actually a safer place for your data than your own servers. The key is to find the right cloud tools and apps for safeguarding your healthcare communications.
4. Upgrade your in-house fax infrastructure to a HIPAA compliant fax service
Nobody ever thinks of this one, but faxing is still one of the most commonly used communication methods in today's healthcare industry. The problem is, the traditional healthcare fax infrastructure -- desktop fax machines, in-house fax servers, analog fax phone lines -- are all vulnerable to patient data leaks and even HIPAA violations.
To list one example, paper faxes left sitting on an office fax machine can lead to unauthorized personnel viewing documents containing highly personal patient information. And even if this is an innocent mistake and doesn't lead to medical identity fraud, because this process can compromise patient privacy it can still fall short of HIPAA compliance.
A far better approach -- not only from a security and compliance standpoint but also in terms of improved staff productivity and fewer fax headaches for your IT team -- is to outsource your entire fax infrastructure to reliable and trusted cloud fax service provider.
5. Stay current on the latest data-breach threats and regularly update your staff
Unfortunately, hackers are getting more sophisticated every year. There's big money in stealing personal data, after all -- particularly patients' healthcare records -- and cyber thieves are responding to healthcare providers' increasingly fortified networks by devising even more clever workarounds.
Part of your ongoing task will be to keep your team informed about the latest tricks, scams, and threats to your company's communications and data -- and to hold regular company-wide updates to make sure everyone in your organization knows about them, too.
Don't let the cyber bad guys catch you or your team off-guard.