HIPAA is the pioneering effort of the U.S. in the protection of individual health information and leads the way for other countries to incorporate similar protection laws for PHI.
Sensitive data like PHI has been the target in most cases. Protected Health Information (PHI) is any information that unscrupulous elements can use to identify a patient as per HIPAA. ePHI is an electronic record. Any information related to the health, treatment, or billing that identifies a patient is considered PHI.
You may ponder that cybersecurity measures have been becoming more stringent year after year and that your data should be safe. Unfortunately, that is not the case.
The HIPAA journal reveals the following insights
- 25% year-over-year increase in healthcare data breaches.
- Healthcare data breaches have doubled since 2014.
- 642 healthcare data breaches of 500 or more records were reported in 2020.
- 76 data breaches of 500 or more healthcare records were reported each day in 2020.
- 2020 saw more than 29 million healthcare records breached.
- One breach involved more than 10 million records and 63 saw more than 100K records breached.
- Hacking/IT incidents accounted for 67% of data breaches and 92% of breached records.
- 3,705 data breaches of 500 or more records have been reported since October 2009.
- 78 million healthcare records have been breached since October 2009.
Why is ePHI so attractive to hackers?
Medical records have information that offers multiple opportunities like identity theft, prescription abuse, insurance frauds, blackmail, credit card theft, etc. Organizations have adopted federal laws for electronic health records(EHR) without adequate IT security.
How do HIPAA data breaches happen?
Today there are multiple ways that data breaches happen. It could be a healthcare employee opening an email attachment or a malware attack or hacking any servers or portable mobile devices or forms used to fill ePHI information. Many times mobile apps have vulnerabilities and cyber-attacks like malware and ransomware cause data breaches.
How to Protect ePHI from Healthcare Data Security Risks
HIPAA mandates the protection of PHI by law. So how can you protect ePHI in your organization? There are some ways to protect ePHI data.
It’s best to do periodic HIPAA assessments. Assessments will help understand what weaknesses are there in your healthcare system regarding the protection of ePHI. You could consult the right IT firm to assist in evaluations and be compliant with handling ePHI records.
Post assessment, you know weaknesses and vulnerabilities in the system. You can create a plan to improve weak areas and mitigate data security vulnerabilities.
Audits will help measure the progress of remediation measures undertaken to post the HIPAA assessment undertaken earlier.
Let’s look at some other measures here.
- Access management:
Role-based access can help segregate data access to the people who need to have access to the data. Limiting access is one of the ways of securing ePHI and is applicable in a few scenarios. All departments need not have access to billing records. Similarly, billing department staff need not see details of medical records. Limit the exposure of your ePHI and minimize the risk of ePHI data breaches.
- Encrypting Hard drives:
Protection of hard drives with data encryption is essential to prevent data access if the hard disk or drive is stolen or lost.
- Email encryption:
Sensitive data, be it financial or ePHI, must be sent only on encrypted email services. Email encryption may involve a password, code, or link that provides access to the content.
Secure your IT networks with firewalls. There are different solutions available, and cloud-based firewall security (Firewall-as-a-Service) can help reduce costs too.
- Destroy old data disks:
There are ways to retrieve data from old and damaged hard disks, even if they may be encrypted. Old and decommissioned hard drives must be destroyed.
- Password protection of computers:
Computers should be protected with usernames and passwords as per defined IT policies. Organizations should preferably change passwords every few months, and an IT policy should have this covered. If used, Electronic Record Programs (EMR) need to have a separate login and password for enhanced security.
- Protecting mobile devices:
Organizations must protect company-owned mobile devices like tablets and smartphones to access ePHI data with passwords. Mobile devices that get lost puts ePHI data at risk.
- Multi-factor Authentication:
Enhanced security for accessing ePHI involves multiple authentications like a password plus verification with a texted code to the user’s mobile device or a biometric authentication like fingerprints or use a token that generates random codes.
- Periodic training:
People tend to forget about being cautious about security breaches and need to be reminded with ongoing training to alert them to cyber-attacks and breach attempts.
- Business Associate Agreements:
If you are working with partners or medical providers who may have access to ePHI data, you should have a BAA (Business Associate Agreement) to safeguard the use of ePHI data securely.
- Secure ePHI data:
Organizations can prevent unauthorized access to systems containing PHI or ePHI like server machines or physical lockers. Securing access could mean locking a server room or lockers that may store these data.
Physical security measures are also needed. It can take the following forms:
Importance of being vigilant and ready
Despite all the security measures, organizations carry some amount of risk to their ePHI data. It becomes vital for healthcare organizations to be vigilant and ready to act in case of any breach. You should have a planned response for any breach possibility. The response must be designed well in advance and should be easy to execute.
Real-time threat intelligence and protection helps in securing unexpected user behaviors and application anomalies.
Kogni health from Resolve is a highly extensible data discovery and security platform that offers healthcare organizations a single pane view of all their data. Custom designed machine learning techniques help classify, tag data across the organization and even mask data based on the access level. Businesses can prioritize the protection of high-risk data and ensure regulatory compliance without having to spend years identifying and organizing existing data. Kogni health monitors all data and is geared to provide sensitive data alerts to help manage policy violations fast empowering for swift actions and remediation.
Whether you are a care provider, payer, pharma or medical equipment manufacturer, if you are in the healthcare business you can rely on data management and data security solutions from Resolve.
Schedule a demo to learn more about how your company can leverage highly extensible data discovery and security platform to drive the best outcomes and maximize your ROI.