4 Ways to Safeguard Public Health Information (PHI) from Cyber Threats
Protect your business and online security with these basic precautions that decrease your cyber security risks and align with HIPAA’s Protected Health Information (PHI) guidelines.
As an agency or any institution that relays PHI, you have observed firsthand the integration of new technology and its positive impact within the insurance industry. However, negative impacts, such as additional security risks and stringent HIPAA technical requirements, are also associated with the excitement of the Digital Age.
Read on for four basic precautions that safeguard your business and recent examples of events that remind us the importance of cyber security.
1. Stay Up to Date
Always keep your software and security applications updated. Any Internet-connected device is vulnerable to cyber-security risks and can potentially be hacked. You may think of information security in terms of a defensive team, but the IT department must have a solid offensive game against Internet hackers.
Software and product updates are a result of that offense or a quick acting defense, and installation provides maximum security protection. When updates are not installed, you may be leaving yourself and your device susceptible to an Internet intruder, as our company recently discovered.
Recent Example: In our case, the proper protocols and safe guards were current and in place. No sensitive data was breached! This intruder simply used a third-party service to piggy back his hack across our internet connection to his intended victim outside our network. Because we followed our own protocols for security, we were able to avoid a situation that could have turned severe.
- Always keep software up to date and current
2. Use Strong and Unique Passwords
Never use the same password for multiple password-protected sites and devices. Best practices state that passwords provide maximum protection when a different password is used for each site and service, and changed within a 30 to 90-day period. In addition, the user should always log out of accounts.
Insurance professionals may have significantly more accounts when considering unique portals and password-protected documentation, such as Census or claims utilization reports. This volume can make for an overwhelming list of passwords for an individual to remember. However, this best practice may not seem so severe when you contemplate the recent cyber security threat.
Recent Example: The April 2014 Heartbleed bug sent the IT world into a frenzy with the public announcement of the OpenSSL cryptology’s security vulnerability. The bug was found in the software’s infrastructure and allowed interlopers to decipher encrypted data, such as passwords and other personal information. Although a patch was released the same day as the announcement, the affected version of OpenSSL exposed all of its users to a huge cyber security threat.
The Heartbleed bug is a great example of the first precaution above, but it also reminds us of the importance of password best practices. Of those exposed to Heartbleed, users with unique, alternating passwords were at lower risk of possible repercussions.
Password management software is available for those of us juggling more than the average load of passwords. However, consult with your IT department or data management policy before purchasing or downloading such software.
- Always use passwords longer than 8 characters and include special characters
3. Keep Sensitive Data Protected
Keeping your passwords, financial, and other personal information safe and protected from outside intruders has long been a priority of businesses, but it’s increasingly critical for consumers and individuals to heed data protection advice and use sound practices to keep your sensitive personal information safe and secure. There’s an abundance of information out there for consumers, and individuals on protecting passwords, adequately protecting desktop computers, laptops, and mobile devices from hackers, malware, and other threats, and best practices for using the Internet safely. But there’s so much information that it’s easy to get confused, particularly if you’re not tech-savvy.
Where people fail, most times is the lack of planning, being prepared.
Recent Example: “Snowden” has become the buzzword for every kind of security breach. But the Snowden leak was an inside job.
The leak was the result of a SharePoint-related issue – not with the SharePoint platform, but with governance decisions (i.e., who has access to what data), monitoring and oversight. In Snowden’s case, he copied gigabytes of data to thumb drives with little challenge. Snowden was given access to sensitive content that he shouldn’t have had access to for carrying out his tasks. He was already inside the fortress.
The challenge for government and business is to use the tools that SharePoint and other vendors provide to pro-actively establish, monitor and enforce security protocols and to limit internal access to sensitive content.
Nothing is secure indefinitely when it is networked to another computer, and you are most vulnerable when you trust your technology unequivocally. Singh meticulously documented that anything that can be made secure will eventually be hacked.
So if you can’t trust technology, who do you trust? The short answer is yourself.
First, you must have a team that not only checks compliance with your security approach, but continuously monitors the actions of the hackers and constantly upgrades your approach securing sensitive data. But this is only the beginning of the solution. Your organization must also be ready when the inevitable happens.
When iCloud was recently hacked, Steve Cook did not come out with a letter that focused on a new technology approach to iCloud security. He quickly assured people that the hole was fixed and then spent the majority of his time stressing the company values toward the concern of Apple’s customers: privacy. You must have a planned response to address what matters to your customers. In Apple’s case this was privacy. In the case of a bank it is limitation of financial liability. In the case of home automation, it will be assurance of safety. Don’t make the mistake of trusting your security technology unequivocally. Be technically prepared and diligent, but know that it still can fail, and be prepared to protect the brand and maintain customer trust.
- Always keep your desktop clear of sensitive information, storing it in a secure location for use as needed
4. Don’t Forget to Ensure the Security and Compliance of Mobile Devices
Don’t forget your mobile devices! Ensure the security and compliance of your mobile technology. Mobile devices, such as smartphones and tablets, have proven to be valuable resources in your business, but mobile devices have the highest security risks HIPAA enforces mobile technology guidelines to combat these risks and keep PHI secure.
Understanding best practices for mobile device security in today’s healthcare environment can be challenge for many organizations. As mobile devices such as tablets and smartphones become more powerful, they become more useful to your health organization. This usefulness often times translates into more risk for the organization. Best practice security for both company-owned devices and personal devices requires proactive policies, implementation of those policies, as well as employee training on the policy and acceptable use of the device.
Recent Examples: In February 2014, a security audit reported that PHI breaches increased by 138% in 2013 compared to the previous year. The three largest incidents involved stolen mobile devices and unencrypted data. You don’t have to be an IT expert to follow the best practices for HIPAA’s mobile device security, but you are expected to incorporate an effective process for protecting sensitive information.
It’s important to update your data management policy to include mobile devices, and educate employees about your organization’s policy. Simply downloading an app with data sharing terms and conditions onto your work-mobile device could put you at risk of violating HIPAA guidelines. Your organization’s IT department or IT consultant should have a list of pre-approved applications in association with the data management policy.
What Does HIPAA Have to Say About Mobile Devices?
The Health Insurance Portability and Accountability Act of 1996 required the Secretary of the U.S. Department of Health and Human Services to develop regulations protecting the privacy and security of certain health information. To meet this requirement, HHS published what are commonly known as the HIPAA Privacy Rule and the HIPAA Security Rule.
The Privacy Rule
The Privacy Rule establishes national standards for the protection of certain health information. This rule refers to individually identifiable health information that can be linked to a particular person such as:
- The individual’s past, present or future physical or mental health
- The provision of healthcare to an individual.
- The past, present or future payment for the provision of healthcare to the individual
The Security Rule
When discussing mobile device security best practices, we are primarily concerned with the Security Rule provisions. The HIPAA Security Rule applies to individual identifiable health information in electronic form, typically known as electronic protected health information. The Security Rule addresses the technical and non-technical safeguards that organizations called must put in place to secure individuals’ ePHI outlined in the Privacy Rule. The Security Rule established a national set of security standards for protecting ePHI specifically how it is stored, maintained or transmitted.
The 5-step process
The Office of the National Coordinator for Health Information Technology has outlined the five basic steps organizations can take to manage mobile devices used by health care providers and professionals. Healthcare organizations can use the five steps to help develop and implement mobile device policies and procedures to safeguard patient health information.
The five steps are outlined on the ONC’s website (HealthIT.gov) as follows:
- Decide—Decide whether mobile devices will be used to access, receive, transmit or store patients’ health information or used as part of your organization’s internal networks or systems.
- Assess—Consider how mobile devices affect the risks to the health information your organization holds.
- Identify—Identify your organization’s mobile device risk management strategy, including privacy and security safeguards.
- Develop, Document and Implement—Develop, document and implement the organizations mobile device policies and procedures to safeguard health information.
- Train—Conduct mobile device privacy and security awareness and training for providers and professionals.
Implementing mobile devices in your organization can add a lot of value for your team when the proper balance between security and usability is achieved. Not every item may fit your company’s particular need or workflow, but these tips form a solid foundation for mobile device security and understanding these best practice guidelines will help you understand your corporate risk. Proper planning, policy creation, implementation of controls and most importantly training for your users will help ensure your data’s protection and eliminate the risks typically associated with mobile devices.
While modern technology enhances business operations and improves efficiency, it also increases security risks. A proactive approach and established practices are critical to sustaining cyber security, or you could put your HIPAA compliance, your client information, and your business at risk.