For over ten years, October has been recognized in the United States as National Cyber Security Awareness Month (NCSAM). October is a month dedicated to doing our part to ensure the safety and security of information while online.
As healthcare professionals, October provides us with an opportunity to take a closer look at our cybersecurity practices as they relate to protected health information (PHI). Are we doing all we can do to safeguard electronic protected health information (ePHI)?
Cybersecurity and the HIPAA Security Rule
Cybersecurity focuses on protecting computers, networks, programs and data from unintended or unauthorized access, change or destruction. The objectives of cybersecurity are to protect the availability, integrity and confidentiality of an organization's and/or user's assets. Under the HIPAA Security Rule, physicians and other healthcare professionals are required to ensure the protection of ePHI in your office and information systems. The HIPAA Security Rule ensures the confidentiality, integrity, and availability of all ePHI that you create, receive, maintain or transmit. In general this describes what needs to done; the question is how.
Protect ePHI with a Five Step Action Plan
The five step action plan listed below is not all inclusive. Rather, it does offer five reasonable and effective methods organizations and individuals can safeguard ePHI.
1. Strong password policy a strong password policy is often overlooked, but may be the single, most important step when it comes to safeguarding ePHI. A strong password is one that is case sensitive, requires a combination of letters, numbers and special characters. The password length should be at least 6, preferably 8 characters in length. A strong password policy requires passwords to be changed periodically (i.e. once per quarter), and not reused. Finally, passwords should never be shared with anyone and should not be something easy to guess, such as the name of your family pet.
2. Security Risk Analysis (SRA) for a security risk analysis to be effective for safeguarding ePHI, the SRA should be an ongoing process, instead of a once-and-done process. A security risk assessment is required under the HIPAA Security Rule. According to the Department of Health and Human Services (HHS), "HIPAA requires organizations that handle protected health information to regularly review the administrative, physical and technical safeguards they have in place to protect the security of the information." An important part of the SRA is identifying any potential weaknesses in an organization's security policies, processes and systems, and coming up with an action plan to address those weaknesses. For example, an organization may not have a password policy in place. Within a certain period of time, such as over the course of the next year, the organization would follow an action plan to implement a strong password policy such as the strong password recommendations above.
3. Protection from Malicious Software also a requirement under the HIPAA Security Rule, it is critical for organizations to protect from malicious software. Malicious software gives partial, and in some cases, full control of your computer. If something in an e-mail appears strange, such as an attachment, do not open it. Malicious software (malware) may be in the form of adware, spyware, a virus, a worm, etc. To protect from malicious software it is important for systems to be up-to-date with patches and updates. It is important to install anti-virus software that performs regular scans and updates. You may also consider installing anti-spyware and anti-adware software performs regular scans and updates.
4. Training both the HIPAA Privacy Rule and HIPAA Security Rule address training requirements for covered entities. Under the HIPAA Privacy Rule "a covered entity must train all members of its work force on the policies and procedures with respect to PHI." The Security Rule requires a covered entity to "implement a security awareness and training program for all members of its workforce (including management." In addition, a covered entity should periodically provide security training updates based on technology and security risks. For example, a new, sophisticated program has been circulating health care networks in an attempt to steal patient information. This program is being sent as an attachment in an e-mail. The covered entity should train all of its members, on what to do if they receive the e-mail. In addition, a covered entity may consider issuing a warning to patients via a patient portal, or similar means, that advises of the program that aims to steal information.
5. Bring Your Own Device (BYOD) policy it is estimated the number of smartphones throughout the world will reach 2 billion by the end of 2015. The use of smartphones and other mobile devices has become commonplace within the medical field workplace. Health care professionals may often use their mobile devices in the workplace. By using their personal mobile devices in the workplace, there are potential safety and privacy concerns. An effective BYOD policy will protect the security and integrity of your data technology infrastructure by:
- Identifying activities that are acceptable and what company-owned resources may be accessed.
- Determining what devices are allowed and how the devices will be supported.
- Stating the company's reimbursement policy for the cost of the device or phone plan.
- Addressing security requirements for using mobile devices such as password requirements and guidelines for messages containing PHI.
- Listing potential risks, liabilities and disclaimers for employees who wish to use mobile devices.
- Including user acknowledgement and agreement that is signed by the employee that includes the BYOD device(s) that are approved.
October is a good month to evaluate our cybersecurity practices and address areas that may be lacking. While the five step action plan is by no means all inclusive, it does offer reasonable and effective methods for individuals and organizations to safeguard ePHI. A strong password is a good way to ensure the safety and security of sensitive information at home or at work. Covered entities should be active in the SRA process, instead of thinking of a SRA as once-and-done. Protection from malicious software may be accomplished with anti-virus and anti-spyware software that performs regular scans and updates. Training provides an opportunity to give updates that are based on technology and security risks. Finally, an effective BYOD policy will protect the security and integrity of your data technology infrastructure, especially as the use of mobile technology continues to become more commonplace in today's workplace environment. We all have a part in ensuring the safety and security to information while online.
If you have any questions about safeguarding PHI, need assistance completing a security risk analysis, or would like more information about implementing a BYOD policy, please do not hesitate to contact one of our professional consultants.