It’s one thing to suffer one data breach – there is room to recover. Will Anthem survive a second breach?
Don’t let this happen to you. With the Anthem breach still on the forefront of everyone’s minds, as well as the upcoming supervision from the OCR and the new phase of HIPAA audits, we have put together some tips to help get you thinking about what you can do now to better secure healthcare data within your organization.
Control PHI Workflow
Do you know where your healthcare data is? Do you have proper permissions in place to control access to your data? Is it encrypted? Healthcare data should always be encrypted when being stored or transmitted to protect sensitive data from falling into the wrong hands or being compromised. Your organization needs to know where your data lives, where it travels, and how it travels—at all times.
This seems like a no-brainer, however, it’s easy to get caught in the convenience of a weak password, or the same password for multiple uses. The longer the password, the better. Strong passwords should be at least 8 characters long, with variations on capitalization, numbers, and punctuation. Two-factor identification is an even stronger way to ensure that only the people who are allowed access, have access.
HIPAA laws mandate that you have done your due diligence to ensure that not only are you HIPAA compliant, but your vendors who also have access to your PHI are compliant. A signed Business Associates Agreement isn’t acceptable. You can no longer outsource this risk, you must manage it. This means vendor management must be a priority when considering the safety and security of the PHI for which you are responsible. Do you know who your vendors are? Do you have documentation showing you’ve reviewed that they are compliant with industry regulations? These are questions that you must know the answers to.
Policies and Procedures
Are you aware of the policies and procedures that are in place to protect healthcare information and comply with HIPAA laws? Employees should be required to demonstrate that they acknowledge, understand, and follow all policies and procedures. They are there to help you, and understanding the importance of why a certain policy and procedure is in place could make the difference in saving your organization from a data breach.
Security Awareness Training
The security tone from the top is the most important step, in any organization, to ensure that the organizational atmosphere is on the same page in being “aware” of PHI security. It’s important to educate all employees, in every facet of your organization, on HIPAA compliance, and the importance of HIPAA compliance.
Annual External and Internal Penetration
Network and application security is critical to your organization. Performing annual penetration tests can be a strategic way to identify weaknesses and vulnerabilities in your organization’s security before someone else does.
Are you confident that you are doing everything you can to ensure the security of your PHI and your compliance with HIPAA laws?
Let us know if you have any questions about strengthening the compliance controls at your organization or if you’re in need of third-party validation of your compliance.
Sarah Morris is the Managing Editor at KirkpatrickPrice, a valued partner of AIS Network. She is certified in General Information Security Fundamentals (GIAC GISF) and specializes in keeping organizations up to date on information security and regulatory compliance by being a thought leader and developing valuable content that revolves around industry trends and best practices.