The American Recovery and Reinvestment Act (ARRA) mandated that health care organizations comply with the Health Insurance Portability and Accountability Act (HIPAA) and implement electronic records systems by 2015. That date has passed, and now all complying health care organizations are storing their patients’ records electronically.

Five Ways to Comply With HIPAA Regulations

This digital storage simplifies access, updates, reporting and use by physicians and their patients, but it also brings with it the same threats to data that financial organizations have faced for years. In fact, stolen health credentials are worth roughly $10 each, which is 10 to 20 times more valuable than credit card information. Health care providers need to address these issues to safeguard their patient records and comply with HIPAA regulations.

1. Admin Controls and Employee Training

Health care organizations should act like high-tech financial institutions to assure compliance with government regulations and the proper handling of patient records. It’s no longer acceptable to have a few casual rules about access to records and filing cabinets. Offices need to have updated policies on hand and available to their employees.

Employees must be personally guided through security measures, office procedures and privacy rules, complete with sign offs at critical stages. Even before training, every employee should pass a background check to establish trust.

2. Physical Access

Locked file cabinets don’t protect electronic health record (EHR) data. Offices must establish systems that are inaccessible to unauthorized individuals and verify the identity of all system users.

A list of users authorized to access the health records systems must be maintained. It should include methods to create and update secure passwords as well. Since the data is stored on computers, the office must have disaster recovery plans that are tested to be functional and reliable.

3. Audit User Access

Workstations need to be secured by passwords and automatically log users out of sessions when there is no activity for a specified period. External access to other networks and the internet must be locked so patient data can’t be transmitted outside the confines of the office and hacking tools can’t find their way into the system. Additionally, workstations should have their own individual functions and access rights that limit users to the type of work and access defined for that workstation, regardless of the user’s access rights.

4. Media Controls

Protecting data that resides in the EHR system is important, but controlling how and if that data moves outside the office is an issue that deserves more consideration than might initially be imagined. While health records are maintained in central data storage or even cloud-based systems, that data is also transmitted to local devices as it is used. So when disposing of equipment such as workstations and printers, it’s important to digitally scrub them before selling, donating or otherwise removing them from service.

Today’s printers store the documents sent to them for printing on internal hard drives. Health care records sent to the printer can remain in the printer’s storage and be extracted by an enterprising data thief. Workstations, printers and many other devices also store network authentication credentials that can be leveraged to gain access to office networks. Establish effective procedures to examine and clean data from equipment as part of your replacement cycle.

5. Data Encryption

All EHR data should be encrypted. While this seems an obvious step, many data theft events have been successful because user credentials were not encrypted, allowing intruders to log in to systems, freely view the data and extract what they wanted. The issue is that validated users have access to encrypted data because they are authorized to access it in its unencrypted form.

To be effectively protected, health care data must be encrypted and segmented so that authorized users are only able to access data specific to their needs. That can prevent full-scale data theft. The first line of defense, however, must be the encryption of user credentials so that thieves are not able to masquerade as valid users.

Locate Your Liabilities

Security intelligence solutions can be effective in preventing or limiting data theft and protecting patient records from being accessed by unauthorized parties. Health care providers need to understand where their liabilities are and take measures to secure all possible points of intrusion.

Read the IBM X-Force Research Report: Security Trends in the Health Care Industry

More from Data Protection

Heads Up CEO! Cyber Risk Influences Company Credit Ratings

4 min read - More than ever, cybersecurity strategy is a core part of business strategy. For example, a company’s cyber risk can directly impact its credit rating. Credit rating agencies continuously strive to gain a better understanding of the risks that companies face. Today, those agencies increasingly incorporate cybersecurity into their credit assessments. This allows agencies to evaluate a company’s capacity to repay borrowed funds by factoring in the risk of cyberattacks. Getting Hacked Impacts Credit Scoring As per the Wall Street Journal…

4 min read

IBM Security Guardium Ranked as a Leader in the Data Security Platforms Market

3 min read - KuppingerCole named IBM Security Guardium as an overall leader in their Leadership Compass on Data Security Platforms. IBM was ranked as a leader in all three major categories: Product, Innovation, and Market. With this in mind, let’s examine how KuppingerCole measures today’s solutions and why it’s important for you to have a data security platform that you trust. The Transformation of the Data Security Industry As digital transformation continues to expand, the impact it has had on enterprises is very apparent when…

3 min read

SaaS vs. On-Prem Data Security: Which is Right for You?

2 min read - As businesses increasingly rely on digital data storage and communication, the need for effective data security solutions has become apparent. These solutions can help prevent unauthorized access to sensitive data, detect and respond to security threats and ensure compliance with relevant regulations and standards. However, not all data security solutions are created equal. Are you choosing the right solution for your organization? That answer depends on various factors, such as your industry, size and specific security needs. SaaS vs. On-Premises…

2 min read

Understanding the Backdoor Debate in Cybersecurity

3 min read - The debate over whether backdoor encryption should be implemented to aid law enforcement has been contentious for years. On one side of the fence, the proponents of backdoors argue that they could provide valuable intelligence and help law enforcement investigate criminals or prevent terrorist attacks. On the other side, opponents contend they would weaken overall security and create opportunities for malicious actors to exploit. So which side of the argument is correct? As with most debates, the answer isn't so…

3 min read