What are the best ways for healthcare executives to keep protected health information secure? Here are some tips.
A few years ago, 80 million people had their protected health information stolen after hackers obtained access through spear-phishing emails they had sent to a subsidiary of Anthem Inc. One or more of its employees responded to the email, resulting in a series of cyberattacks from December 2014 through January 2015 in the largest health data breach in U.S. history.
The Blue Cross Blue Shield carrier paid $16 million in settlement fees to the federal government and agreed to take corrective action to abide by HIPAA rules.
And just as Anthem paid the price for failing to have a system in place to detect hackers, healthcare executives who cut corners and fail to follow security procedures are at risk of incurring massive fines and losing public trust.
The need for healthcare organizations to take an active role in protecting PHI has never been greater, as the number of healthcare data breaches continues to rise. Since 2010, hackers have gained access to more than 175 million healthcare records, according to research published in the Journal of the American Medical Association.
Keep information secure
What are the best ways for healthcare executives to keep PHI secure? Here are some tips.
1. Prioritize
It’s not enough to have technology or rules in place if no one follows them. Be sure to audit and train staff members continuously on what to do so they can be aware of security requirements. This ranges from understanding what is acceptable to talk about in public areas to knowing what a phishing email looks like and how to react to it.
Related: Five Ways to Improve Your Health Organization's Cybersecurity
One way to test for the latter is to do random phishing tests, in which you send a phishing email to all employees and see who clicks on it. Then, use that as a training opportunity to make sure staff is consistently staying alert to potential exploits.
Just remember, quality is more important than quantity when it comes to training. Although 88% of healthcare provider and insurance company employees reported that they received security training, 17% admitted they still write down their username and password, and 19% said they would sell confidential data, according to an Accenture survey.
2. Control access to any PHI
Decide who gets access to PHI at your healthcare organization based on need. For example, make sure all applications and software allow for role-based access, and keep these access protocols updated and enforced as employees are promoted, move to other departments, or leave the organization.
It’s also important to control physical access to any PHI, making sure it stays on the premises whenever possible. If information must leave, be sure any hard drives are encrypted and protected by passwords to prevent a breach if the storage medium is lost or stolen.
You should also have a plan in place to track the movement of electronic media and mobile devices, knowing at all times which employees are responsible for these devices.
3. Evaluate security practices
Many healthcare organizations partner with vendors to deliver services, manage their data, and optimize operations. Make sure your employees have the same dedication to maintaining security over data as you do. One thing to look for in a vendor is whether it has undergone any security certifications, like HITRUST.
You should also ensure the vendor has signed a business associate agreement. A Florida provider, Advanced Care Hospitalists (ACH), agreed to do business with a medical billing service several years ago but later learned that the person it was dealing with was using the service’s name and website without permission. ACH discovered this when patient information was made public on the service’s website. ACH ended up paying $500,000 in settlement fees for sharing PHI with an unknown vendor without a business associate agreement.
4. Secure your communications
There’s no avoiding the phone, email, and even fax when healthcare providers are communicating with patients, payers, and others. Therefore, it’s vital that any communications be secure and HIPAA-compliant. That means encrypting all outbound email messages that contain PHI and, after you receive the information, making sure it’s secure.
According to a recent study, more than half of healthcare data breaches are due to the negligence of hospitals, doctors’ offices, and insurance companies. This underscores the need to establish secure communications protocols and regularly train personnel on them.
By following these steps to ensure your patients’ health information is protected, you can avoid falling victim to a security breach that could have been prevented.
Hoala Greevy is the founder and CEO of Paubox, the only HITRUST CSF-certified seamless secure email solution. Hoala also founded Pau Spam, an email-filtering software service.
In the Scope of Virtual Health and the Future of “Website” Manner, Per Ateev Mehrotra
August 10th 2023Briana Contreras, an editor of Managed Healthcare Executive, had the pleasure of catching up with MHE Editorial Advisory Board Member, Ateev Mehrotra, MD, MPH, who is a professor of healthcare policy at Harvard Medical School and an Associate Professor of Medicine and Hospitalist at Beth Israel Deaconess Medical Center.
Listen