The definition of a Data Breach, as given by the Department of Health and Human Services (HHS.gov) is; “An incident in which sensitive, protected or confidential data has potentially been viewed, stolen or used by an individual unauthorized to do so.”
With 120 Million patient records compromised in 2015, more than 90% of healthcare organizations, in a recent study have had breaches, and 43% of those breaches caused by user error and not malicious attacks* These are 5 key things you should be doing to help prevent accidental data breaches;
1. Encryption; Encrypt all drives that have data PHI (Patient Health Information) on them. There are many ways to encrypt a drive from free software from Microsoft to more complex Key encryption servers from Symantec. They important thing here is; if someone steals a computer or that computer is retired, data cannot be retrieved from the system because it is encrypted. This is also a good time to talk about location of PHI. If you store your company PHI only on a server then you only need to encrypt one device. If you store the data on multiple user PC’s, servers, etc. this becomes much more complex, and many more possibilities for accidental breaches. Users should be able to store all data in software or folders on a domain server and you can even restrict the rights to store that data on the local computers.
2. Password policies; Yes this is a sore subject. The multitude of passwords that an employee needs to know to access the computer, network, applications and websites can be daunting, but there are solutions for that. Most IT vendors are now able to offer password management as part of their services, with this your employee will only need to remember one password!
That being said, your passwords need to meet these specifications because passwords such as “password” and “abc123” are simply not sufficient to protect data;
a. A password should protect all access to PHI data.
b. Passwords need to meet security standards such as; 8 or more charters, letters, symbols with requirements to utilize all three of those items within it.
c. There should be a forced time period to change passwords and not allow them to repeated.
3. Education; Your employees need to know what you are protecting, how you are protecting it and why you are protecting it. This will give them a much better understanding of what is expected of them and how to avoid accidental data breaches. Your IT vendor should be able to hold an educational lunch and learn with you and your employees to go over what you are doing now and what you should change to better protect your data.
4. Policies; Along with education, your company needs to put in place policies and procedures that enforce the education and give boundaries to employees. Not only will they be educated on what needs to be done with PHI information, they will also have a company policy to fall back on. This also gives a HIPAA auditor information about how your company is treating PHI in the event of an audit.
5. Business Associate Agreements (BAA); A BAA is an agreement between a company with PHI and any of their vendors that may come in contact with PHI. This agreement helps protect your company from accidental data breaches outside of your company, network and employees. Vendors that fall into this category are; IT vendors, cleaning crews, Trash removal services, record storage companies and software vendors just to name a few. Your IT vendor should be able to provide you with a generic BAA that you can customize to your needs. This helps your vendors understand their responsibilities when it comes to the services they provide to you as well as protect you from accidental vendor breaches.
If you have any questions or concerns about PHI, HIPAA, or security questions in general, please contact us at firstname.lastname@example.org or call us at 520.751.0888.
*Source: “Fifth Annual Benchmark Study on Privacy and Security of Healthcare Data, Ponemon Institute