10 Tips to Prevent a Healthcare Data Breach

The future is today. We are able to see and chat with someone on the other side of the world with a device that most people own and it fits in the palm of the hands. With all the electronic devices available to us today, patients' medical records can be shared on a computer or cell phone screen and readily transmitted electronically to others. But with this ease comes a very real danger of medical records falling into the wrong hands.

According to a new analysis published in the Journal of the American Medical Association, more than 175 million health care records have been breached since 2010, and medical records are becoming more vulnerable every year.

IT security remains a key issue as health organizations continue to evolve their electronic healthcare systems in order to comply with the HITECH Act of 2009.  In fact, if a data breach occurs and more than 500 patients are affected as a result, the provider must notify the Department of Health and Human Services and become subject to fines up to $1.5 million.

Below are 10 tips to prevent a healthcare data breach.

1. Conduct a Risk Assessment

Stage One of the CMS meaningful use incentive program requires all providers to conduct a risk assessment of their IT systems. This is in accordance with the HIPAA Privacy and Security Rules that govern the transmission of all electronic patient information. The risk assessment forces providers to review security policies, identify threats and uncover vulnerabilities within the system.

2. Provide Continued HIPAA Education to Employees

Educate and re-educate employees on current HIPAA rules and regulations. Furthermore, review and share state regulations involving privacy of patient information. If employees are in the know and reminded of the implications of data breaches, risk of violation can be drastically reduced.

3. Monitor Devices and Records

Remind employees to be watchful of electronic devices and/or paper records left unattended. More often than not data breaches occur due to theft of these items from a home, office or vehicle. While it is the informatics department responsibility to safeguard patient information, employees should be reminded to do their part in keeping data safe as well.

4. Encrypt Data & Hardware

Encryption technology is key in avoiding data breaches. While HIPAA doesn’t require data to be encrypted, it also does not consider loss of encrypted data a breach. Furthermore, protect hardware such as servers, network end points, mobile and medical devices as these items are also vulnerable.

5. Subnet Wireless Networks

Ensure that networks made available for public use do not expose private patient information. One way of achieving this is to create sub-networks dedicated to guest activity and separate more secure networks for medical devices and applications that transmit and carry sensitive patient information.

6. Manage Identity and Access Stringently

With so many members of the healthcare system frequently accessing patient information – for a multitude of different reasons – it is important to carefully manage identity of users. For instance, make sure users at each level are only granted access to information pertinent to their position and that log on/off procedures are easy on shared machines. Automation of this system helps create a “paper trail” and ensures efficiency and safety for all involved.

7. Develop a Strict BYOD Policy

BYOD or Bring Your Own Device policies should be airtight and follow the same security guidelines outlined above.

8. Examine Service-Level Agreements Carefully

If you are considering moving patient information and data to the cloud make sure you understand the Service-Level Agreement (SLA) with your potential Cloud Service Provider (CSP). Specifically, ensure that you, not the CSP, own the data and that it can be accessed reliably, securely and more importantly timely (in the event of a crash). Also, verify that the SLA complies with HIPAA and state privacy laws.

9. Hold Business Associates Accountable for IT Security Policies

It is imperative to update business associate agreements to reflect evolving federal and state privacy regulations. A healthcare organization can have hundreds or even thousands of vendors with access to patient data. In the event of a breach, the healthcare provider is ultimately responsible. Therefore, hold business associates accountable for providing security and risk assessments and develop processes for reporting breaches.

10. Establish a Relationship with Qualified Legal Counsel

In the event of a data breach your organization will be investigated and most likely fined by the Office for Civil Rights. Lawsuits from patients may also ensue so be sure to be prepared from a legal standpoint. Compliance is key, so don’t be advised to withhold known information about the breach.