HIPAA violations are growing in number and cost, and have affected medical facilities of all sizes.
While training and vigilance on the part of administrators and staff is a vital component to HIPAA compliance, the right technology can turn an open book into a bank vault. From secure medical grade all-in-one computers to software to online tools, here are some of the best ways technology is making ePHI (electronic protected health information) more secure.
HIPAA violations and costly fines don’t have to be an inevitability.
How Bad is It?
HIPAA violations and fines are practically raining from the sky. 2018 saw significant data breaches, some that affected millions of patients.
In January of 2018, it was revealed that the data of 30,000 patients was stolen by hackers from Florida Medicaid when an employee fell for a phishing email.
Also in January, a medical group in New York had a record breach that had nothing to do with malicious intent. A misconfigured database with an unsecured port accidentally exposed the data of 42,000 people to anyone who stumbled across it. Social security numbers, patient notes, and even names of family members were all up for grabs.
In April, the Center of Orthopaedic Specialists in California got hit by ransomware that may have exposed 85,000 patient records to hackers. In September, three hospitals settled a $1 million dollar fine for potentially compromising patient privacy while they were filming a documentary for ABC.
And, of course, Anthem paid a record-breaking $16 million in fines and violation settlements for a breach that affected 79 million patients. They were given a hefty penalty for not only the breach itself, but for failing to implement adequate access controls, not conducting a risk analysis before it happened, and for not regularly reviewing system activity to keep an eye on red flags.
Almost all of these breaches could have been prevented or mitigated by better technology, more robust security software, and improved employee education.
Online Training Programs Can Educate Staff Members
Hacking is a multi-headed hydra that is more than just ransomware and worms. “Social engineering” describes all of the methods deployed by hackers to gain access to secure systems from regular people in an organization.
Social engineering tactics can vary wildly, from dressing like an electrician to get access to a sensitive area, to calling up an employee and pretending to be an IT tech who needs their information, or even just employing a malware program that requires a victim to click, open, download, or install something they shouldn’t have.
Consider enrolling staff members into an online HIPAA compliance course, or a general data security training program. If you’re afraid of employees falling asleep during a dry infosec video, try SecurED, a data security training course that was actually written in part by Hollywood comedy writers.
And if you want the real skinny from an expert, world-famous hacker Kevin Mitnick actually created his own security awareness training to help illuminate the best techniques for avoiding malicious software and social engineering.
Install Security Software on All Devices
Cloud storage attached to medical all-in-one computers, medical tablets, and personal devices must be encrypted. Any messages, data, or images that back up to a cloud service are just as susceptible to interception as messages sent from one user to another.
Dropbox, OneDrive, and Google Drive aren’t automatically encrypted, and expose a weak point in any system. The solution isn’t to stop using cloud services — backing up data has never been more important — but to instead use a secure cloud storage program like Sookasa to encrypt files before they enter a cloud storage folder.
It also may be wise to consider HIPAA compliance tracking software like HIPAATrek. This software, and other brands like it, create a one-stop-shop for all current HIPAA regulations, training, assessments, risk analysis surveys, checklists, and a whole host of compliance tools to keep any medical facility in the green and out of the fast-growing list of HIPAA horror stories.
Secure Accounts with Two-Factor Authentication
A single password and login for staff members aren’t sufficient for sensitive accounts. Passwords can be guessed, cracked, or collected fairly easily, especially if employees aren’t maintaining proper password etiquette.
Two-factor authentication is recommended by all security professionals at this point, and a failure to do so could have dire consequences for any organization under HIPAA authority.
Smart cards, custom RFID tags, and biometric scanners can provide the physical authentication, while a PIN or password can be used in conjunction to add an extra layer of security. Medical all-in-one computers or medical tablets with built-in RFID and biometric scanners are highly recommended for this purpose because they are far more reliable than a USB scanner plugged into an off-the-shelf office computer.
Plus, USB readers are portable and have a tendency to get lost or disappear. Misplacing an integrated medical panel PC is slightly more difficult.
Only Use Messaging Software with HIPAA Associate Agreements
Texting and easy picture-sharing have completely changed the way our society communicates, even in the workplace.
However, HIPAA’s security standards mean that doctors and nurses can’t be as free as the general populace. While texting a coworker a question might seem innocuous, it can lead to breached confidentiality and a hefty fine if it contains patient details. Ditto for sending pictures — getting a second opinion from another nurse about a suppurating wound isn’t a bad idea in theory, but may, in fact, be a violation of HIPAA standards.
For workplace communication, make sure work devices are installed with encrypted messaging software from a HIPAA associate. If your practice is using a BYOD policy, make sure those devices have the same level of encryption. Or, it may be a wise idea to abandon a BYOD policy altogether — they’ve been shown to invite massive security breaches.
A messaging app made by a business under a HIPAA associate agreement is certified to provide the necessary security to meet HIPAA standards.
There are quite a few HIPAA compliant texting apps, like TigerConnect and OhMD, that can make a major difference in cybersecurity. Many of these apps, or similar email encryption programs (like Barracuda or Virtru ) can also be installed on medical tablets and medical all-in-one computers, creating an easy, encrypted communication system for any facility.
Don’t Forget the Real World
Consider those hospitals fined for filming a documentary — not all patient confidentiality breaches come from computer hackers.
Even something as simple as the placement of a computer screen or patient monitor can have HIPAA implications. Medical all-in-one computers with built-in privacy screens can reduce the angle where a monitor is readable, while a computer on wheels can be rotated away from prying eyes.
Cameras and video recording are obviously off-limits, but sometimes staff can be tempted by the social media machine in their pocket. A perfectly harmless photo from the wrong angle can unknowingly capture sensitive information on a chart, or the face of a patient in the background.
Of course, a malicious low-tech data thief could also snap a quick picture of sensitive information while a doctor’s back is turned.
Technology can help, of course, but common sense is even more important. Keep an eye on your surroundings, especially when viewing ePHI, to maintain maximum data security.
Employ and Document Digital Security Methods Today
A three-pronged approach of education, technology, and vigilance should hopefully keep any doctor’s office, hospital, or clinic away from major HIPAA violations. Even should a lax staff member cause a breach, a thorough and documented history of implementing all of these techniques should also lower the culpability and any potential fines for the organization.
Contact Cybernet today to learn more about medical all-in-one computers and medical tablets with built-in two-factor authentication, Imprivata single-sign-on compatibility, and built-in privacy screens.