For over ten years, October has been recognized in the United States as National Cyber Security Awareness Month (NCSAM). October is a month dedicated to doing our part to ensure the safety and security of information while online.
Are we doing all we can to safeguard electronic protected health information (ePHI)? As healthcare professionals, October provides us with an opportunity to take a closer look at our cybersecurity practices as they relate to protected health information (PHI). Cybersecurity focuses on protecting computers, networks, programs, and data from unintended or unauthorized access, change, or destruction. The objectives of cybersecurity are to protect the availability, integrity, and confidentiality of an organization's and/or user's assets.
Under the HIPAA Security Rule, physicians and other healthcare professionals are required to ensure the protection of ePHI in their offices and information systems. The HIPAA Security Rule ensures the confidentiality, integrity, and availability of all ePHI that you create, receive, maintain, or transmit.
HIPAA Security Rule: Protect ePHI Cybersecurity with a Five Step Action Plan
The five step action plan listed below is not all inclusive. Rather, it does offer five reasonable and effective methods organizations and individuals can use to safeguard ePHI.
STEP 1. Implement a Password Strength Policy
The single, most crucial element in protecting ePHI may be a strong password policy, which is frequently disregarded. A strong password is one that requires a mix of letters, numbers, and special characters and is case sensitive. The password should be at least 6 characters (and preferably 8) in length.
A strong password policy mandates that passwords be updated on a regular basis —say, once every three months— and never repeated. Last but not least, passwords should never be revealed to anybody and shouldn't be something simple to decipher, like the name of your pet.
STEP 2. Conduct a Regular Security Risk Analysis (SRA)
A security risk analysis should be an ongoing exercise rather than a one-and-done procedure if it is to be effective in protecting ePHI. The HIPAA Security Rule mandates the completion of a security risk assessment. The Department of Health and Human Services (HHS) states that "HIPAA requires organizations that handle protected health information to regularly review the administrative, physical, and technical safeguards they have in place to protect the security of the information."
Finding any potential flaws in the security policies, procedures, and systems of an organization and developing an action plan to remediate such weaknesses are crucial components of the SRA. As an example, one organization may not have a password policy in place. The organization would adhere to an action plan to establish a strong password policy, such as the suggestions above, over the course of a specific time period, such as the following year.
STEP 3. Safeguarding from Malicious Attacks and Malware
Protecting against malicious software is crucial for organizations and is also mandated under the HIPAA Security Rule. Malicious software grants your computer partial, and in some situations, complete, control. Do not open an email if it contains an attachment or other strange looking content. Adware, spyware, viruses, worms, and other types of malicious software are all examples of malicious software. System patches and updates must be current in order to guard against malicious software. Installing antivirus software that runs frequent scans and updates is crucial. Installing anti-spyware and anti-adware software that runs regular scans and updates is something else you might think about doing.
STEP 4. Training Your Workforce
Both the HIPAA Privacy Rule and the HIPAA Security Rule set training requirements for covered entities.
- Under the HIPAA Privacy Rule, "a covered entity must train all members of its work force on the policies and procedures with respect to PHI."
- The Security Rule requires a covered entity to "implement a security awareness and training program for all members of its workforce (including management."
In addition, a covered entity should periodically provide security training updates based on technology and security risks. For example, a new, sophisticated program has been circulating through health care networks in an attempt to steal patient information. This program is being sent as an attachment in an e-mail. The covered entity should train all of its members, on what to do if they receive the email. In addition, a covered entity may consider issuing a warning to patients via a patient portal, or similar means, that informs them of the program that aims to steal information.
STEP 5. Bring Your Own Device (BYOD) Policy
It is estimated the number of smartphones throughout the world will reach 2 billion by the end of 2015. The use of smartphones and other mobile devices has become commonplace within the medical field workplace. Health care professionals may often use their mobile devices in the workplace. By using their personal mobile devices in the workplace, there are potential safety and privacy concerns. An effective BYOD policy will protect the security and integrity of your data technology infrastructure by:
- Identifying activities that are acceptable and what company-owned resources may be accessed.
- Determining what devices are allowed and how the devices will be supported.
- Stating the company's reimbursement policy for the cost of the device or phone plan.
- Addressing security requirements for using mobile devices such as password requirements and guidelines for messages containing PHI.
- Listing potential risks, liabilities and disclaimers for employees who wish to use mobile devices.
- Including user acknowledgement and agreement that is signed by the employee that includes the BYOD device(s) that are approved.
Final Thoughts
October is a good month to evaluate our cybersecurity practices and address areas that may be lacking. While the five step action plan is by no means all inclusive, it does offer reasonable and effective methods for individuals and organizations to safeguard ePHI.
A strong password is a good way to ensure the safety and security of sensitive information at home or at work. Covered entities should be active in the SRA process, instead of thinking of a SRA as once-and-done. Protection from malicious software may be accomplished with anti-virus and anti-spyware software that performs regular scans and updates.
Training provides an opportunity to give updates that are based on technology and security risks. Finally, an effective BYOD policy will protect the security and integrity of your data technology infrastructure, especially as the use of mobile technology continues to become more commonplace in today's workplace environment. We all have a part in ensuring the safety and security to information while online.
If you have any questions about safeguarding PHI, need assistance completing a security risk analysis, or would like more information about implementing a BYOD policy, please do not hesitate to contact one of our professional consultants.