The American Recovery and Reinvestment Act (ARRA) mandated that health care organizations comply with the Health Insurance Portability and Accountability Act (HIPAA) and implement electronic records systems by 2015. That date has passed, and now all complying health care organizations are storing their patients’ records electronically.
Five Ways to Comply With HIPAA Regulations
This digital storage simplifies access, updates, reporting and use by physicians and their patients, but it also brings with it the same threats to data that financial organizations have faced for years. In fact, stolen health credentials are worth roughly $10 each, which is 10 to 20 times more valuable than credit card information. Health care providers need to address these issues to safeguard their patient records and comply with HIPAA regulations.
1. Admin Controls and Employee Training
Health care organizations should act like high-tech financial institutions to assure compliance with government regulations and the proper handling of patient records. It’s no longer acceptable to have a few casual rules about access to records and filing cabinets. Offices need to have updated policies on hand and available to their employees.
Employees must be personally guided through security measures, office procedures and privacy rules, complete with sign offs at critical stages. Even before training, every employee should pass a background check to establish trust.
2. Physical Access
Locked file cabinets don’t protect electronic health record (EHR) data. Offices must establish systems that are inaccessible to unauthorized individuals and verify the identity of all system users.
A list of users authorized to access the health records systems must be maintained. It should include methods to create and update secure passwords as well. Since the data is stored on computers, the office must have disaster recovery plans that are tested to be functional and reliable.
3. Audit User Access
Workstations need to be secured by passwords and automatically log users out of sessions when there is no activity for a specified period. External access to other networks and the internet must be locked so patient data can’t be transmitted outside the confines of the office and hacking tools can’t find their way into the system. Additionally, workstations should have their own individual functions and access rights that limit users to the type of work and access defined for that workstation, regardless of the user’s access rights.
4. Media Controls
Protecting data that resides in the EHR system is important, but controlling how and if that data moves outside the office is an issue that deserves more consideration than might initially be imagined. While health records are maintained in central data storage or even cloud-based systems, that data is also transmitted to local devices as it is used. So when disposing of equipment such as workstations and printers, it’s important to digitally scrub them before selling, donating or otherwise removing them from service.
Today’s printers store the documents sent to them for printing on internal hard drives. Health care records sent to the printer can remain in the printer’s storage and be extracted by an enterprising data thief. Workstations, printers and many other devices also store network authentication credentials that can be leveraged to gain access to office networks. Establish effective procedures to examine and clean data from equipment as part of your replacement cycle.
5. Data Encryption
All EHR data should be encrypted. While this seems an obvious step, many data theft events have been successful because user credentials were not encrypted, allowing intruders to log in to systems, freely view the data and extract what they wanted. The issue is that validated users have access to encrypted data because they are authorized to access it in its unencrypted form.
To be effectively protected, health care data must be encrypted and segmented so that authorized users are only able to access data specific to their needs. That can prevent full-scale data theft. The first line of defense, however, must be the encryption of user credentials so that thieves are not able to masquerade as valid users.
Locate Your Liabilities
Security intelligence solutions can be effective in preventing or limiting data theft and protecting patient records from being accessed by unauthorized parties. Health care providers need to understand where their liabilities are and take measures to secure all possible points of intrusion.
Read the IBM X-Force Research Report: Security Trends in the Health Care Industry