A survey from the Verizon Enterprise revealed that 46% of healthcare patient data breaches are attributed to lost or stolen devices containing electronic Protected Health Information (ePHI). While many of these small healthcare practices are aware that patient data breaches hurt business, most of them can take simple steps to protect their sensitive patient data. Take these recommended preventative measures to reduce the likelihood of a data breach within your practice.
1. Encrypt patient data
Encrypt patient data that is stored on all d
evices, including mobile phones and computers. Passwords should also be required on all of these devices for access. This protects your data if devices are stolen and reduces your liability to HHS breach reporting, as the data cannot be accessed without proper authentication.
2. Invest in technical security
Healthcare practices need to invest in the basic security controls, as EHR system and other business workflow processes are being automated rapidly: a firewall and antivirus software. A firewall monitors online traffic in and out, while antivirus and anti-malware programs protect company devices from virtual attacks. These software programs need to be updated regularly to remain current and to protect the practice against new threats.
3. Be wary of e-mail attachments and links
Even if you have a firewall and/or antivirus protection, your mobile, laptop, and other internet connected devices are not always safe from online attacks. Don’t download anything from an unknown source, and thoroughly screen attachments before downloading.
4. Periodic Security audit
You may consider hiring a HIPAA professional to evaluate your company computers and networks and recommend any additional protection according to HIPAA security rules, at the minimum. This person will be able to detect potential problems or leaks and direct you on how to protect patient data. In addition, having an IT professional that you can rely on is important to help you reboot or recover lost information in the case of an attack.
5. Back up data
Backing up your critical patient data ensures that information can be recovered if lost (due to a virus or computer failure) or stolen (from a USB drive, laptop, etc.), to maintain continuity of care. Regularly backing up data ensures that you don’t lose important documents or information if something goes awry. If you’re looking for cloud storage options, some of the top services are Dropbox, Google Drive, Box or SkyDrive (most of them sign Business Associate contract). Keep in mind all PHI needs to be encrypted before it is stored with cloud services.
6. Business Associate (BA) Agreements
If outsourcing your patient data services, a business associate contract can protect you by requiring the other party to assume liability for any lost data. A Services Agreement for Proprietary Management System is one such agreement to help protect proprietary information that outside parties may be privy to.
7. Staff Training
Perhaps most importantly, you need to teach all of the strategies in this guide to your employees and implement policies concerning how they access and share patient data. Teach employees how to treat patient data, such as what to keep, where to keep it, what to get rid of, and how to get rid of it—and remind them that they are accountable if they do not follow these procedures. By thoroughly educating the people who regularly use company devices and access data, you create a strong defense against attacks and lost information.
Latest posts by EHR 2.0 (see all)
- Trump Administrations’ Effect on Healthcare Organizations - January 23, 2017
- HIPAA Fine for Lack of Timely Breach Notification - January 11, 2017
- HIPAA Compliance 2016 Year in Review - January 9, 2017