The American Recovery and Reinvestment Act (ARRA) mandated that health care organizations comply with the Health Insurance Portability and Accountability Act (HIPAA) and implement electronic records systems by 2015. That date has passed, and now all complying health care organizations are storing their patients’ records electronically.

Five Ways to Comply With HIPAA Regulations

This digital storage simplifies access, updates, reporting and use by physicians and their patients, but it also brings with it the same threats to data that financial organizations have faced for years. In fact, stolen health credentials are worth roughly $10 each, which is 10 to 20 times more valuable than credit card information. Health care providers need to address these issues to safeguard their patient records and comply with HIPAA regulations.

1. Admin Controls and Employee Training

Health care organizations should act like high-tech financial institutions to assure compliance with government regulations and the proper handling of patient records. It’s no longer acceptable to have a few casual rules about access to records and filing cabinets. Offices need to have updated policies on hand and available to their employees.

Employees must be personally guided through security measures, office procedures and privacy rules, complete with sign offs at critical stages. Even before training, every employee should pass a background check to establish trust.

2. Physical Access

Locked file cabinets don’t protect electronic health record (EHR) data. Offices must establish systems that are inaccessible to unauthorized individuals and verify the identity of all system users.

A list of users authorized to access the health records systems must be maintained. It should include methods to create and update secure passwords as well. Since the data is stored on computers, the office must have disaster recovery plans that are tested to be functional and reliable.

3. Audit User Access

Workstations need to be secured by passwords and automatically log users out of sessions when there is no activity for a specified period. External access to other networks and the internet must be locked so patient data can’t be transmitted outside the confines of the office and hacking tools can’t find their way into the system. Additionally, workstations should have their own individual functions and access rights that limit users to the type of work and access defined for that workstation, regardless of the user’s access rights.

4. Media Controls

Protecting data that resides in the EHR system is important, but controlling how and if that data moves outside the office is an issue that deserves more consideration than might initially be imagined. While health records are maintained in central data storage or even cloud-based systems, that data is also transmitted to local devices as it is used. So when disposing of equipment such as workstations and printers, it’s important to digitally scrub them before selling, donating or otherwise removing them from service.

Today’s printers store the documents sent to them for printing on internal hard drives. Health care records sent to the printer can remain in the printer’s storage and be extracted by an enterprising data thief. Workstations, printers and many other devices also store network authentication credentials that can be leveraged to gain access to office networks. Establish effective procedures to examine and clean data from equipment as part of your replacement cycle.

5. Data Encryption

All EHR data should be encrypted. While this seems an obvious step, many data theft events have been successful because user credentials were not encrypted, allowing intruders to log in to systems, freely view the data and extract what they wanted. The issue is that validated users have access to encrypted data because they are authorized to access it in its unencrypted form.

To be effectively protected, health care data must be encrypted and segmented so that authorized users are only able to access data specific to their needs. That can prevent full-scale data theft. The first line of defense, however, must be the encryption of user credentials so that thieves are not able to masquerade as valid users.

Locate Your Liabilities

Security intelligence solutions can be effective in preventing or limiting data theft and protecting patient records from being accessed by unauthorized parties. Health care providers need to understand where their liabilities are and take measures to secure all possible points of intrusion.

Read the IBM X-Force Research Report: Security Trends in the Health Care Industry

More from Data Protection

Data Privacy: How the Growing Field of Regulations Impacts Businesses

The proposed rules over artificial intelligence (AI) in the European Union (EU) are a harbinger of things to come. Data privacy laws are becoming more complex and growing in number and relevance. So, businesses that seek to become — and stay — compliant must find a solution that can do more than just respond to current challenges. Take a look at upcoming trends when it comes to data privacy regulations and how to follow them. Today's AI Solutions On April…

Defensive Driving: The Need for EV Cybersecurity Roadmaps

As the U.S. looks to bolster electric vehicle (EV) adoption, a new challenge is on the horizon: cybersecurity. Given the interconnected nature of these vehicles and their reliance on local power grids, they’re not just an alternative option for getting from Point A to Point B. They also offer a new path for network compromise that could put drivers, companies and infrastructure at risk. To help address this issue, the Office of the National Cyber Director (ONCD) recently hosted a…

Why Quantum Computing Capabilities Are Creating Security Vulnerabilities Today

Quantum computing capabilities are already impacting your organization. While data encryption and operational disruption have long troubled Chief Information Security Officers (CISOs), the threat posed by emerging quantum computing capabilities is far more profound and immediate. Indeed, quantum computing poses an existential risk to the classical encryption protocols that enable virtually all digital transactions. Over the next several years, widespread data encryption mechanisms, such as public-key cryptography (PKC), could become vulnerable. Any classically encrypted communication could be wiretapped and is…

How the CCPA is Shaping Other State’s Data Privacy

Privacy laws are nothing new when it comes to modern-day business. However, since the global digitization of data and the sharing economy took off, companies have struggled to keep up with an ever-changing legal landscape while still fulfilling their obligations to protect user data. The challenge is that there is no one-size-fits-all solution regarding data privacy's legal requirements. Depending on the location and jurisdiction, data privacy laws can vary significantly in terms of scope and enforcement. But while the laws…