Posts Tagged ‘protected health information’

Guest Post: Staying HIPAA Compliant When Using Smartphones

July 5th, 2018 by Brad Spannbauer

Smartphones in Healthcare

Introducing smartphones into a healthcare environment also brings new security risks, especially when devices are used to create, receive, maintain or transmit ePHI.

Smartphones are becoming increasingly ubiquitous in clinical settings. When compared with the likes of pagers, smartphones offer many benefits, such as improved communication and collaboration, increased mobility, and more advanced security and privacy features. However, despite these benefits, introducing smartphones into a healthcare environment also brings new security risks, especially when devices are used to create, receive, maintain or transmit electronic protected health information (ePHI).

The compact size and portability of smartphones is what makes them so convenient for on-the-go healthcare professionals, but it is also this which makes them particularly susceptible to loss or theft, which can lead to data breaches.

According to a Ponemon study, 90 percent of healthcare organizations have been affected by at least one data breach, and nearly half have had more than five data breaches. While malicious activity continues to be the leading cause of these attacks, employee negligence and lost or stolen devices are the primary instigators.

Eliminating the security and privacy threats introduced by smartphones isn’t easy, but by addressing the following key areas, HIPAA (Health Insurance Portability and Accountability Act of 1996) covered entities can mitigate the risks and significantly reduce the likelihood of a data breach occurring.

Put a stop to non-secure communication

In today’s cyber crime ridden world, organizations must be proactive in guarding every aspect of their digital infrastructure, and maintaining secure communications is a key part of this process. Non-secure applications such as email or native text messaging apps are inherently risky due to a lack of security features and privacy controls, which ultimately render them non-compliant under the rules of HIPAA. Instead of using unsecure tools, healthcare providers should invest in secure communication solutions that are designed to withstand the rigors and regulations of healthcare.

Educate your workforce

Research by IBM suggests that 95 percent of all security incidents in 2016 involved human error—misaddressed emails, weak passwords and falling prey to phishing schemes are prime examples of how data breaches can occur due to carelessness or lack of proper education. Additionally, the rise in BYOD (Bring Your Own Device) means employees are more frequently using devices both inside and outside the office, which naturally increases the risks of a device being lost, stolen, or accessed by an unauthorized third party. Regular staff training should therefore be a top priority for any organization that allows its employees to use a mobile device for work purposes. Ultimately the onus is on employers to ensure employees understand their responsibilities, and to provide the tools to allow them to carry out their jobs effectively and securely.

Follow OCR’s advice

In recognition of the risks associated with increased usage of smartphones in clinical settings, the Department of Health and Human Services (HHS) and Office for Civil Rights (OCR) has issued guidance for HIPAA covered entities who use mobile devices to create, access or store ePHI. The guide offers the following tips:

  • Implement policies and procedures regarding the use of mobile devices in the workplace—especially when used to create, receive, maintain, or transmit ePHI.
  • Consider using Mobile Device Management (MDM) software to manage and secure mobile devices.
  • Install or enable automatic lock/logoff functionality.
  • Require authentication to use or unlock mobile devices.
  • Regularly install security patches and updates.
  • Install or enable encryption, anti-virus/anti-malware software, and remote wipe capabilities.
  • Use a privacy screen to prevent people close by from reading information on your screen.
  • Use only secure Wi-Fi connections.
  • Use a secure Virtual Private Network (VPN).
  • Reduce risks posed by third-party apps by prohibiting the downloading of third-party apps, using whitelisting to allow installation of only approved apps, securely separating ePHI from apps, and verifying that apps only have the minimum necessary permissions required.
  • Securely delete all PHI stored on a mobile device before discarding or reusing the mobile device.
  • Include training on how to securely use mobile devices in workforce training programs.

Remember, at the end of the day, if you allow ePHI to be stored on mobile devices, some of those devices inevitably will be lost or stolen. And if that ePHI is not adequately protected through strong encryption along with robust access controls as described above, you will have a reportable data breach on your hands. So plan accordingly.

As devices and applications become more technically advanced, and as more and more healthcare organizations leverage the advantages of smartphones over traditional tools, smartphone usage is only set to increase. To realize the benefits, however, it is critical that the security of mobile devices is reviewed and updated regularly, and policies are modified when necessary. Convenience should never come before compliance.

About the Author:

Brad Spannbauer

Brad Spannbauer

A 20 year industry veteran, Brad Spannbauer currently oversees product strategy and planning, and provides direction and market leadership for j2 Cloud Connect’s worldwide business as their Senior Director of Product Management. His focus in the healthcare and legal verticals led to Brad’s involvement with the j2 Cloud Services™ compliance team, where he leads the team as the company’s HIPAA Privacy and Compliance Officer. Learn more about our HIPAA Compliant Fax Solutions.

Infographic: 5 Questions Patients Should Ask About Healthcare Information Security

September 8th, 2017 by Melanie Matthews

Patients need to understand the information security protections by their healthcare providers, according to a new infographic by ISACA.

The infographic outlines a few questions that patients can ask of their providers to ensure that those organizations are applying
appropriate and diligent stewardship of the data that they hold in trust.

UnityPoint Health has moved from a siloed approach to improving the patient experience at each of its locations to a system-wide approach that encompasses a consistent, baseline experience while still allowing for each institution to address its specific needs.

Armed with data from its Press Ganey and CAHPS® Hospital Survey scores, UnityPoint’s patient experience team developed a front-line staff-driven improvement action plan.

Improving the Patient Experience: Engaging Front-line Staff for a System-Wide Action Plan, a 45-minute webinar on July 27th, now available for replay, Paige Moore, director, patient experience at UnityPoint Health—Des Moines, shares how the organization switched from a top-down, leadership-driven patient experience improvement approach to one that engages front-line staff to own the process.

Get the latest healthcare infographics delivered to your e-inbox with Eye on Infographics, a bi-weekly, e-newsletter digest of visual healthcare data. Click here to sign up today.

Have an infographic you’d like featured on our site? Click here for submission guidelines.

Infographic: What Hospital CIOs Think About Data Security and Clinical Mobility

June 5th, 2017 by Melanie Matthews

Effective patient engagement has been linked with increased adherence to medical plans, reduced hospitalizations, and higher revenues, according to a new infographic by ChartLogic. One way to generate these results is by meeting patients where they spend the most time, i.e. social media.

The infographic looks at which secure communication methods clinical staff use, the top four reasons hospitals use pagers and mobile health strategies.

Healthcare Trends & Forecasts in 2017: Performance Expectations for the Healthcare Industry Not in recent history has the outcome of a U.S. presidential election portended so much for the healthcare industry. Will the Trump administration repeal or replace the Affordable Care Act (ACA)? What will be the fate of MACRA? Will Medicare and Medicaid survive?

These and other uncertainties compound an already daunting landscape that is steering healthcare organizations toward value-based care and alternative payment models and challenging them to up their quality game.

Healthcare Trends & Forecasts in 2017: Performance Expectations for the Healthcare Industry, HIN’s 13th annual business forecast, is designed to support healthcare C-suite planning during this historic transition as leaders prepare for both a new year and new presidential leadership.

Get the latest healthcare infographics delivered to your e-inbox with Eye on Infographics, a bi-weekly, e-newsletter digest of visual healthcare data. Click here to sign up today.

Have an infographic you’d like featured on our site? Click here for submission guidelines.

Guest Post: 5 Ways to Protect Against Cyber Attacks

February 23rd, 2016 by Salim Hafid, product marketing manager, Bitglass

Cyber attacks like the recent hack of Hollywood Presbyterian Medical Center are on the rise.

Editor’s Note: Could the Hollywood hack happen to your organization?

The event had all the hallmarks of a Hollywood blockbuster, but this month’s assault by a hacker on Hollywood Presbyterian Medical Center (HPMC) was frighteningly real. The malware attack locked access to certain computer systems and prevented the medical center from sharing communications electronically, according to a statement by Allen Stefanek, President & CEO. The medical center paid the requested ransom—40 Bitcoins, equal to approximately $17,000—and restored its electronic medical record (EMR) system. There is no evidence at this time that any patient or employee information was subject to unauthorized access, Stefanek said in his statement.

The HPMC hack is only the latest cyber attack to plague the industry. In this guest blog post, Salim Hafid, product marketing manager for Bitglass, suggests ways organizations can safeguard themselves against these damaging events.

Data breaches in 2015 resulted in a massive 113 million leaked records nationwide, up from 12 million in 2014, according to Bitglass’ Healthcare Breach Report. This means that one in three Americans’ personal information was leaked as a result of cyber attacks. The increase suggests that hackers are increasingly targeting medical records, which contain a trove of valuable information including addresses, Social Security numbers, and patients’ medical history. As hackers become more sophisticated, IT must take steps to secure data both in the cloud and across all employee devices.

Given the rising threat of cyber attacks, healthcare organizations must be proactive when it comes to securing corporate data. Here are five ways IT can both protect healthcare data in the cloud and limit the risk of a large-scale breach:

1. Control access.

Cloud applications have made file-sharing and access to data easier than ever, but for all the flexibility these apps offer, there are risks to sharing files with unsecured, unmanaged devices outside the corporate network. Granular access controls are a critical piece of the security puzzle in that organizations need the ability to limit access in certain risky contexts. In the case of the Anthem breach for example—in which phished credentials were used in China, resulting in 78.8 million leaked records—access controls would have limited the damage.

2. Encrypt, track, protect.

The most sensitive data in an organization is often the most valuable to hackers. Files with customer Social Security numbers, addresses, and medical claims information are the targets of large-scale breaches. To secure data, IT needs a means to identify the files that contain sensitive content and apply Data Loss Prevention (DLP) to those files. Contextual DLP solutions enable IT administrators to distinguish between devices and set policies to encrypt, apply watermarks to track data, or even wrap files with digital rights management (DRM).

3. Secure BYOD.

As demand for bring-your-own-device (BYOD) in healthcare rises, organizations need to protect data on unmanaged devices without impeding user privacy. What is critical here is control over data as it travels to the end-user’s device and data that resides on the device itself. With features like selective wipe and native mail access, organizations can encourage adoption of BYOD while still protecting data and maintaining HIPAA compliance on these unmanaged devices.

4. Quickly identify potential breaches.

As healthcare organizations are now more likely to be targeted by hackers than ever before, IT needs the ability to quickly identify suspicious traffic and be alerted to potential risks. Administrators can leverage tools like cloud access security brokers to act on that information and limit sharing using the aforementioned access control capabilities.

5. Improve authentication.

Major breaches like Anthem and Premera, coupled with the low rate of single sign-on adoption across the healthcare industry, highlight the need for a more secure means of authenticating users. With an integrated identity solution, organizations can maintain control over the key access points to their data and can easily manage user account credentials with tools like Active Directory. Industry standards like single sign-on, multi-factor authentication, and single-use passwords can also help minimize risk of breaches due to stolen credentials.

These are just a few of the many ways healthcare organizations can better secure corporate data in public cloud applications like Google Apps, Box, and Office 365. In light of the massive year-on-year increase in breaches, securing healthcare data has never been more critical. Healthcare organizations need a HIPAA-compliant, comprehensive, data-centric solution that provides complete control and visibility over protected health information (PHI), a means of securely authenticating users, and BYOD security.

Download the Bitglass Healthcare Breach Report for more on the key capabilities necessary to protect healthcare data in the cloud and achieve compliance.

About Bitglass: In a world of cloud applications and mobile devices, IT must secure corporate data that resides on third-party servers and travels over third-party networks to employee-owned mobile devices. Existing security technologies are simply not suited to solving this task, since they were developed to secure the corporate network perimeter. The Bitglass Cloud Access Security Broker solution transcends the network perimeter to deliver total data protection for the enterprise—in the cloud, on mobile devices and anywhere on the Internet. For more information, visit bitglass.com

HIN Disclaimer: The opinions, representations and statements made within this guest article are those of the author and not of the Healthcare Intelligence Network as a whole. Any copyright remains with the author and any liability with regard to infringement of intellectual property rights remain with them. The company accepts no liability for any errors, omissions or representations.