It’s more important than ever for healthcare organizations to ensure patient data security. Along with evolving regulations, the Health Care Compliance Association (HCCA) notes that increased ransomware risk paired with inadequate protection measures could pose significant challenges for healthcare organizations in 2022. Add in the increasing use of telehealth solutions and cloud-based patient platforms, and there’s a perfect storm brewing for patient data privacy.
This isn’t simply speculation; in the third quarter of 2021 alone, 68 healthcare providers found themselves locked out of their networks due to ransomware. And across the country, companies struggled to keep data safe. In New Jersey, a medical practice management organization suffered a data breach that impacted more than 56,000 individuals last July. In January 2022, a Colorado physician’s agency faced a data breach when attackers gained access to an employee email account, and in early April, a California healthcare provider reported that a breach from summer 2021 put more than 318,000 records at risk.
It’s clear that healthcare organizations must prioritize data security to protect patient information and ensure regulatory compliance. In this piece, we’ll explore how companies can take a more proactive approach with five best practices to boost health data protection.
How can healthcare organizations take a more proactive approach to securing private health data?
Due diligence is a critical component of regulatory compliance under the Health Insurance Portability and Accountability Act (HIPAA). Put simply, due diligence is the reasonable steps taken by organizations to ensure they meet healthcare data handling requirements.
Given the evolving nature of healthcare operations and the growing risk of ransomware and other attacks, companies can’t afford to wait until an incident occurs to improve their security approach and adjust key components — instead, they need to take a proactive approach that aims to reduce both the likelihood of attacks and impact if they do occur.
Not only does this security strategy set the stage for processes that protect health data and increase the response speed when issues occur, but it also helps protect businesses from serious legal and compliance consequences.
Consider the case of a healthcare agency that doesn't take steps to effectively encrypt its data in the cloud. If the data is breached and attackers steal patient health records, the company could face both a class-action lawsuit from individuals whose data wasn’t properly protected and penalties for failing to meet HIPPA’s due diligence requirements. For example, if lacking security processes meet the standard of “willful neglect,” the business could face fines between $10,000 and $50,000 for each violation.
Five best practices for securing private health data
To proactively secure private health data and meet HIPAA compliance standards, start with these five best practices:
Best practice #1: Encrypt data
HIPAA regulations require healthcare organizations to encrypt patients’ electronic health data in situations where it could be exposed to risk, such as during transmission or at rest. In practice, transmission covers any type of transfer, such as an email or SMS message, while “at rest” can refer to data stored in a database, on a USB drive, or in the cloud.
While HIPAA doesn't identify specific encryption standards, the National Institute of Standards and Technology (NIST) recommends the advanced encryption standard (AES) using 128, 192, or 256-bit encryption.
Best practice #2: Log usage
According to the 2021 Healthcare Data Risk Report, on average, healthcare staff have access to 20% of all files stored by the organization, and two-thirds of companies have more than 500 accounts with passwords that never expire.
This is why it’s vital for companies to ensure they know who’s accessing patient data, when, and why. In practice, this means deploying robust logging processes that record access requests and data use, both to identify potential risks and create a traceable use and access chain in the event of a HIPAA audit.
Best practice #3: Use an external data store
It’s also worth considering using a secure data storage solution to house and protect PII for you, which can limit your overall legal liability in the event of a data breach. This might take the form of a HIPAA-compliant cloud provider or data center operator, or using a security solution vendor that provides secure data repositories for specific data sets that meet HIPAA requirements.
Best practice #4: Secure devices
In the shift to remote work, laptops and mobile devices have become popular access points for patient records. As a result, companies must ensure that these devices are secure. Some of the ways to do this include using virtual private networks (VPNs) to help protect network connections and reduce the risk of data exposure, along with implementing mobile device management (MDM) tools that help identify potentially problematic access requests or application use.
Best practice #5: Assess risk
Finally, healthcare organizations must continually assess potential risks and take steps to mitigate these risks wherever possible. This includes regularly evaluating both people and processes — for example, are current operations meeting HIPAA expectations around access and use, or are additional measures required?
Ensuring HIPAA Privacy Rule compliance
According to the U.S. Department of Health and Human Services, the HIPAA Privacy Rule “establishes national standards to protect individuals' medical records and other individually identifiable health information (collectively defined as ‘protected health information’) and applies to health plans, health care clearinghouses, and those health care providers that conduct certain health care transactions electronically.”
To comply with this rule, companies must create and deploy appropriate safeguards that reduce the risk of a data breach and set specific limits on who can access patient data and for what reason.
In addition, the Privacy Rule gives patients rights over how their data is used, including the ability to request a copy of their records or request record corrections. As a result, healthcare organizations must take steps to not only reduce the risk of a data breach or compromise but also ensure the integrity of data by ensuring it is not accessed, changed, or deleted without patients’ permission. To do this, healthcare organizations should create and implement policies that lay out both clear expectations for the secure handling of data and consequences if these policies aren’t followed.
The HIPAA Security Rule
A subset of the Privacy Rule, the HIPAA Security Rule requires healthcare organizations to protect electronic protected health information (ePHI) via three types of safeguards:
- Technical safeguards protect ePHI and manage access. They include tools that gate access based on unique user identifiers and roles, controls that record data use and access for audits, processes that ensure the integrity of data, and solutions that verify the identity of users requesting access.
- Physical safeguards include limiting access to secure facilities and creating disaster recovery plans to restore lost data or minimize attack impact, along with enforcing guidelines for workstation security and use.
- Administrative safeguards include security management processes, employee security awareness and training, creating contingency plans, and developing written agreements with all “covered entities” under HIPAA to ensure accountability. These entities may include vendors, contractors, and solution providers.
Securing private health data during identity verification
To ensure due diligence and align with HIPAA expectations, healthcare businesses must secure private health data every step of the way, including during the identity verification (IDV) process.
To help limit the chance of compromise during this process, organizations can take steps such as:
- Automating the IDV process: This reduces the need for humans to examine and verify personal information, in turn reducing total risk.
- Using an IDV provider that can store PII for you: By transferring the responsibility of keeping your users’ data safe to your IDV provider, you reduce your liability of any potential breaches or leaked customer data and can focus on growing your business.
- Ensuring your IDV provider is HIPAA-compliant: Partnership with HIPAA-compliant IDV partners helps ensure due diligence and provides peace of mind that your verification processes meet HIPPA Security Rule standards.
The evolving landscape of electronic health record (EHR) usage
Pre-pandemic, just 11% of U.S. patients used digital health services — now, almost 50% are opting for telehealth solutions whenever possible. Data from the American Hospital Association, shows that even before the pandemic, 76% of hospitals offered some type of telehealth, and this number has grown exponentially. EHRs, meanwhile, are now used by 96% of hospitals and 86% of doctors’ offices.
The shift to telehealth is both encouraging and concerning — while AI and machine learning (ML) tools offer massive opportunities for healthcare agencies to improve patient care, the sheer amount of data significantly increases the available attack surface for potential compromise.
As a result, it’s critical for healthcare companies to develop and deploy best practices that meet current HIPAA standards and set the stage for continued patient protection.
At Persona, we help digital health companies seamlessly identify patients while meeting constantly changing healthcare requirements, including HIPAA, regional drug identification laws, and more. Get a demo to learn more or start for free today.