By Vicki Ritterband
Encryption. Encryption. Encryption.
Those are the “three” most important activities doctors should do to protect the security of their patients’ electronic protected health information (ePHI), says cybersecurity expert Ali Pabrai, a presenter at MMS’s recent conference, Electronic Health Records Next Chapter: Best Practices, Checklists and Guidelines.
Encryption is the conversion of data into a form that cannot be understood unless the reader has a key or password to unscramble the information. All sorts of electronic transmissions should be encrypted—including texts and emails—no matter what the device, said Pabrai. If data is encrypted, even if you have a security breach, it is protected.
“Unfortunately, application vendors in the healthcare industry have been lethargic about embedding encryption capabilities,” said Pabrai. “That makes it difficult for a practice or a healthcare organization to implement encryption.”
As more and health information moves between the cloud and mobile devices, organizations will increasingly need to focus their security efforts on those two areas, according to Pabrai. Healthcare data fetches a high price on the black market because it is so rich in identity information.
Cyber security attacks to all types of businesses are occurring at a breathtaking pace: the average organization experiences 1,400 attacks per week and of those attacks, approximately two accomplish their purpose, said Pabrai. HIPAA fines for information security breaches can run into the hundreds of thousands and even millions of dollars. “Physician practices are more vulnerable to HIPAA fines than ever before,” said Pabrai. Often, organizations don’t know their systems have been broken into until months after the thieves have left the premises.
So what’s a practice to do? Here are the seven steps Pabrai suggests physicians take to ensure that their patients’ electronic protected health information (ePHI) is secure and complies with HIPAA regulations:
- Assign someone in your practice to be the security or compliance officer. Make sure they have access to the appropriate resources to do their job.
- Conduct risk analyses regularly, ideally on an annual basis.
- Develop a security strategy and policies and document them. If HHS’s Office for Civil Rights investigates a security breach, the first thing they will ask is to look at your policies, said Pabrai.
- Remediate when necessary: address any deficiencies in your protection strategy
- Secure third parties: make sure your business associates are protecting your patients’ ePHI to the same degree you are.
- Train your staff so they comply with your cyber security rules and regulations.
- Evaluate your performance.
For an overview of what’s required from healthcare providers to comply with various aspects of the HIPAA Privacy and Security rules, the U.S. Department of Health & Services offers six free, CME-eligible online educational programs.