Simple patient data security doesn’t have to be time consuming.Time-wise, HIPAA compliance is about maximizing the little time you have. Here are a few things you can do at your organization that will help you maintain patient data security.
(If you’d like all of my suggestions for HIPAA time management, watch this 70-minute recorded presentation.)
Perform an office physical.Generally, doctors don’t perform physicals on themselves. It’s the same with an office security physical. This is a great opportunity to bring in a third party (this one, for example) to examine any irregularities with your data security.
That being said, if you’re a small provider with only a few staff members, you can probably perform a simple version of this yourself.
Look at your office from the eyes of a patient. Can they look down on the receptionist counter and see patient information? If they can, that’s a problem. Look for devices that are unattended and logged in, especially in exam rooms. Patients left alone in exam rooms with logged-in devices could easily start browsing and inadvertently see other patient’s information.
Your office physical obviously doesn’t replace a HIPAA risk analysis, but should give you a very attainable place to start. Based on what you see, make goals like, “Talk to workforce staff about leaving their computers unlocked,” and “Buy more document shredders for the office.”
Update your systems and applications.When I audit healthcare organizations, I see a lot of out-of-date EHR systems, computer operating systems, and anti-virus programs. These out-of-date systems and applications aren’t being protected with the latest security updates, and therefore make your organization vulnerable to data breach, not to mention out of compliance with HIPAA regulations.
A single aspect of security, like anti-virus, doesn’t render other security requirements useless. You can easily break a single stick over your knee, but put 10 sticks of the same size in a bundle and it’s near impossible to break. Security is the same way.
Security has layers, which is why it’s so important that when one layer is out of date, it gets fixed or replaced.TweetSo, update your EHR! Pay that annual $60 license fee to keep your anti-virus up and running.
If you’re looking for an easy HIPAA compliance plan, check out our 21-day plan for HIPAA compliance.
Learn how to protect against social engineeringSocial engineering is a way of manipulating someone to trust you enough to divulge important information. Because medical data is so valuable on the black market, I wouldn’t be surprised to see a rise in social engineering in the coming years.
The following is a true story from one of our customers about social engineering:
A small provider had just trained their staff on social engineering. Two days later, a well-dressed guy showed up. He said he was from their insurance company and needed to look at a particular medical device. The receptionist told him she didn’t have a record of him coming, and tested him by asking how many particular medical devices they had. He said four. They only had one. She told him that without proper authorization, she couldn’t let him back to see that device. He left. A quick call to the insurance company verified they had not sent anyone out to visit. We don’t know for sure what he was after, but you can bet it was PHI.
That is a great example of why staff security training is absolutely crucial! That receptionist was able to stop a social engineer armed simply with a little information.
Separate user accounts for all staffEach workforce member should have different access to patient information based on their jobs and roles within your organization. The receptionist shouldn’t have the same access as the nurse. In your Windows active directory, Windows server, and EHR systems, create access control roles for each type of staff you employ. Be sure to give everyone their unique own account. Individual accountability (exactly who access PHI and when) is a basic HIPAA requirement.
Read more about role-based access here: Everyone Is Not Created Equal in Healthcare
Make security a habitTry to work on these small HIPAA compliance/data security actions for at least 10 minutes per day for an entire month. Set a reminder on your phone’s calendaring system. It doesn’t matter if you are researching phishing, doing an inventory of your systems, or looking at your notice of privacy practices (NoPPs) to make sure they’re up to speed; you are working diligently to be more secure as an organization.
What have you done in the past to help manage the time involved with becoming HIPAA compliant?
Tod Ferran (CISSP, QSA) is a Mensa aficionado, Cancun expert, and Security Analyst for SecurityMetrics with over 25 years of IT security experience. In addition to his many speaking engagements and webinars, he provides security consulting, risk analysis assistance, risk management plan support, and performs security, HIPAA, and PCI compliance audits. Connect with him for recommendations on excellent places to stay, activities, and restaurants in Cancun, or check out his other blog posts here.