In 2020, there were 642 data breaches of healthcare organizations. That’s a new record, up 25 percent from the previous year. In these breaches, the records of millions of Americans were exposed. These incidents occurred at all types of organizations in the industry, including clinics, insurance providers and their health system business associates.
If you’re in the healthcare industry, here are eight steps you can take to ensure that your organization isn’t the next one in the news.
#1. Continually Evaluate HIPAA Compliance
If you’re in healthcare, you probably already know about HIPAA, the Health Insurance Portability and Accountability Act that safeguards Protected Health Information (PHI). Fines for non-compliance can reach millions of dollars and even include jail time, which should be enough to ensure that you take HIPAA seriously. But you should also think of HIPAA as a solid starting point for avoiding major cybersecurity threats.
HIPAA requires annual risk assessments, and it’s not a bad idea to assess your security and compliance even more frequently. In a typical organization a lot of changes are made in a single year, including new software implementations and upgrades, employee turnover and role changes, or mergers and acquisitions—all of which can create vulnerabilities. These assessments are also a great chance to evaluate your internal security policy and incident response plan.
#2. Educate Your Employees
When it comes to data breaches, it can be easy to begin thinking about nefarious hackers in a dark room furiously typing code with the intention of stealing your organization’s records. The truth is that one of the leading causes of healthcare data breaches in 2020 was employee error and organizations reported that 58 percent of their employees ignore cybersecurity employees ignore cybersecurity guidelines.
As a result, it’s critical that organizations make sure all employees within an organization know what personal information can and cannot be shared with patients, caregivers, and others according to HIPAA and any local regulations you need to follow. Give your employees a test of their security knowledge or run simulations through phone calls and emails and reward the employees who respond correctly.
#3. Manage Roles and Access
Keeping medical records secure can be a challenge, especially since they pass through so many hands. However, the access that a doctor needs is different than that of a member of the finance or IT staff. It’s essential that every user has an individual account with role-based access appropriate for their position. The IT administrator should also have full visibility into who accesses or manipulates what data and when. This allows that administrator to identify suspicious activity such as downloading large volumes of data to an unknown IP address.
#4. Subnet Your Network
It may seem like a basic mistake to an IT or security professional, but you might be surprised how many healthcare providers leave patient records exposed to anyone who accesses the publicly available internet. Subnetting, or creating separate subnetworks, allows you to set aside part of your network for the public and others (with more security) for applications that touch medical records or credit cards.
#5. Use Multi-Factor Authentication
The standard username and password isn’t secure enough for users who need to access private patient information. Multi-factor authentication typically requires at least two of the following: something you know (like your password), something you have (like a token), or something you are (like a fingerprint).
A 2015 report by the Office of the National Coordinator for Health IT found that, while hospital support for multi-factor authentication had risen by 53 percent since 2010, only half of small urban hospitals were capable of it. Fifty-nine percent of medium and 63 percent of large institutions had the capability.
If you are a healthcare organization that still doesn’t support multi-factor authentication, it’s a key step to take toward securing your data.
#6. Protect Devices and Be Cautious with BYOD Policies
Most healthcare data breaches occur not because of hackers, but because of stolen or lost devices. Organizations should make sure their devices are encrypted and that they have the ability to wipe those devices remotely.
You should also adopt strong security measures in your Bring-Your-Own-Device (BYOD) policy. Employees will want to have the convenience of easily accessing PHI from their tablets, laptops, or mobile phones, but if one of these devices falls into the wrong hands, the result could be devastating to your company. Here are some steps you should take in your BYOD policy:
- Require strong authentication methods
- Don’t allow medical records to be stored on employee devices
- Prevent devices from connecting to healthcare applications beyond a certain distance from your facility
#7. Ensure Business Associates are Protecting PHI
Healthcare providers rely on a wide network of associated companies and services. Business associates of organizations that must comply with HIPAA are also held to HIPAA standards for protecting patient data and will be fined if they fail to do so. Your business associate agreements with these organizations should be tailored to both HIPAA and any state regulations that apply to your organization.
These associates should be required to develop internal processes to assess security as well as discover and report data breaches. Choose business partners that are agreeable to complying with security best practices or they will be a liability.
#8. Encrypt Data at Rest and in Transit
HIPAA states that covered entities should “implement a mechanism to encrypt PHI whenever deemed appropriate.” That can be a little hard to interpret, but regardless of HIPAA or other regulations, strong encryption is the best way to protect your data.
HIPAA also says that if encrypted data is stolen, the incident does not constitute a data breach. In other words, you can avoid damaging your reputation by having to notify your patients, the media, and the government by using encryption.
A managed file transfer solution can encrypt your files both at rest and in transit using modern, secure encryption methods. Good MFT software will help ensure that you stay up-to-date as encryption standards change over time, while also making your data transfers simple to manage and audit.
Make Sure That Your Healthcare Data is Safe
GoAnywhere MFT can provide you with comprehensive data security solutions and maintain your organization’s HIPAA compliance.
