Looking back to 2021, the healthcare industry was challenged to adapt to patient surges, remote workers, staffing shortages, and more. Throughout the past year, hospital organizations and HIPAA pivoted to be nimbler with actions such as relaxing compliance guidelines on telemedicine to improve patient care but may also have created new security gaps.
Looking forward to 2022, Data Privacy Day is a wonderful opportunity to generate awareness about the importance of privacy, highlight simple ways to protect personal information, and reminds organizations in all industries that privacy is good for business.
To help you celebrate, we’re sharing 10 key tips to protect your employees, patients, and organization as a whole.
1. Carry out a Security Assessment
Cybersecurity attacks and PHI breaches are at an all-time high. It only takes one security compromise to jeopardize critical operations and damage an organization’s reputation. Performing a comprehensive security assessment helps organizations understand their current security posture, uncover potential security gaps, and gain insight on how to improve existing policies and procedures. After you assess, continue performing regular security audits throughout the year to monitor the effectiveness of the security strategy you have in place.
2. Restrict access to PHI
Take some time to audit who has access to PHI internally, and whether it’s necessary. Role-based access control is a great way to restrict sensitive data without bottle-necking privacy team resources. Externally, with the information blocking provision starting October 6, 2022, it’s good to brush up on what third parties may or may not have the right to access to electronic PHI. We recommend reading this ONC blog post to learn more about information blocking.
3. Vet Third-Party Vendors
Whether it’s a video conferencing provider, consultant, or any other third-party solution that shares PHI, each vendor should be carefully vetted for compliance.
4. Use Two-Factor Authentication
Cybersecurity attacks have become increasingly sophisticated, making simple usernames and passwords obsolete. Two-factor authentication is mandatory for any cloud-based solution ranging from chat applications to your EMR solution. In addition to a username and password, 2FA typically requires a code, fingerprint scan, or a combination of methods to further secure information.
5. Encrypt PHI Both at Rest and in Transit
In addition to two-factor authentication, encryption is a great layer of defense to add to your privacy and security strategy. Any device that may potentially contain PHI data should be encrypted. This includes, mobile phones, tables, laptops and PC’s that can potentially be lost or stolen. In addition to physical devices, PHI sent through email should also be encrypted.
6. Secure Your Physical Assets
A frequently overlooked strategy is to simply ensure your physical assets, such as servers, are only accessed by authorized personnel. Use security cameras, alarm systems and electronic door access to protect all physical assets which may contain PHI. If you have encryption in place, that adds even another layer to protecting your physical assets.
7. Securely Migrate or Dispose of Old Data
Old data and legacy servers can be both a frustrating and costly endeavor, especially if that data is costing your organization monthly fees to maintain. If you’re considering migrating legacy data, but don’t have the resources, iatricSystems’ report writing team can help safely migrate data and get rid of monthly fees. If equipment that contains sensitive data needs to be destroyed. We recommend going back to step 3 and vet reputable vendors who can properly dispose and document the destruction of the equipment. For more information about iatricSystems' Data Extract Suite, contact us and our report writing team will assist you.
8. Protect Against External Threats
Protecting against external threats is too oftenly thought as synonymous with having a firewall. The reality is cybercriminals are becoming more sophisticated every day and firewalls that only guard against known threats are simply not enough. Covalence is a plug-and-play solution that protects against the known as well as the unknown. With easy-to-use features and a team of experts who monitors your networks 24/7, Covalence is our pick to proactively prevent external threats.
9. Implement an Incident Response Plan
If you’ve been following our tips, your organization is well set to defend against any internal or external threat, but the unfortunate reality is, PHI data is never 100% safe. In the event of a data breach, time is the most critical element. Have an incident response plan ready, and communicate roles to each individual responsible to resolve the incident. Take note, HIPAA requires organizations to notify affected individuals within 60 days, and following standard communication protocols goes a long way to reducing fees and reestablishing patient trust.
10. Managed Services
Have you been thinking you want to change your patient privacy program to be more proactive, or that you want to ensure you’re fully prepared for a potential OCR audit? The truth is, with the current staffing shortages and patient surges you may not have the resources to accomplish these goals alone. Simply bolster your privacy team with patient privacy managed services from an organization you can trust.