It's time to make New Year's resolutions for improving health data protection.
Far too many healthcare organizations and their business associates are still neglecting to address some of the basics. So it makes sense to resolve to take three critical steps:
Use Two-factor Authentication
One of the common reasons why breaches occur is that most systems require only single-factor authentication - a password. This is a weak form of authentication because users often rely on default or easy-to-guess passwords, and, even worse, use the same passwords for all systems. By requiring two-factor authentication, would-be digital interlopers will not be able to compromise the associated accounts even if they are able to grab passwords, such as through a phishing attack.
Another common reason that data is breached is that protected health information stored in repositories often is not encrypted. Encrypted data will be of no value to hackers who successfully gain access to systems. Using strong encryption helps ensure only those authorized to access PHI are able to do so.
Make Frequent Backups
Healthcare entities, and their vendors, are increasingly the target of crooks who use ransomware. Many organizations have paid the ransoms to get patient data back because they did not have a good process in place to make frequent backups. Ransomware is a lucrative criminal business that will grow in the year ahead. By making frequent backups and following good disaster recovery processes, if your business does get hit by ransomware, you can simply reload your systems and data - and tell the crooks to get lost. You will also be fulfilling a HIPAA compliance requirement.
While taking these three steps will help improve security, more must be done to help mitigate the risks to PHI. So, here are resolutions for three ongoing management initiatives:
Provide Frequent, Brief Training Sessions
Your organization's security depends upon your workers using and sharing PHI in a secure manner. If you don't provide training, your employees will not know how to effectively secure the PHI they access when performing their job responsibilities. It's best to provide frequent - for example, quarterly - and brief - 10- to 15-minute - training sessions. In between trainings, send out weekly security and privacy reminders to keep good security practices top of mind as staff members perform their daily work activities.
Update and Communicate Policies, Procedures
Too many organizations still have not documented information security and privacy policies and procedures. And too many of those that have documented them have not kept them up to date. Review your policies and procedures at least once a year and following major business, technology and legal changes.
Improve the Risk Management Plan
Organizations cannot do just one information security risk assessment and then forget about it. At a minimum:
- Perform an annual full information security risk assessment and make updates when major changes in the business, technology or laws occur. Include privacy issues as well - for example, determine with whom you share PHI, how that data is shared and where that data is stored when you send data to your business associates.
- Periodically conduct security and privacy risk level evaluations, or RLEs. These are quicker to do than a full-blown risk analysis and more narrowly scoped. They often identify major issues that had been overlooked. Appropriate times to conduct RLEs include when hiring a new business associate, implementing a new system or application, determining risks within your call center practices or reviewing at web development practices.
- Conduct quarterly or semi-annual work area security/privacy reviews. Choose departments where the workers deal with PHI on a daily basis when performing their job activities. I started doing these in 1990, and they are one of the best ways to quickly find risks within the work facility and then quickly mitigate them.
I am confident that any organization that fulfills these resolutions will dramatically decrease their risk levels, resulting in fewer breaches and better compliance for 2017.