Protecting PHI- Reduce the Risk of Malicious Actors and Other Threats
The U.S. Department of Health and Human Services (HHS) acknowledges how essential it is for healthcare organizations to utilize electronic devices and media within their normal operations. Whether it is a desktop, laptop, smartphone, server, or tablet used to access, create, modify, store or transmit protected health information (PHI), there are important security measures to consider.
Understand the Risks
Anyone that has physical access to devices and media can have the ability to change configurations, alter information, install malicious programs, and access sensitive information. All these risks have the potential to adversely affect the confidentiality, integrity, and availability of PHI.
Limit Physical Access
To reduce these risks, covered entities and business associates are required to implement policies and procedures that limit physical access to electronic information systems and the facility that they are housed within. Electronic information systems that should have limited access could include things such as hardware, software, information, data, applications, and communications. HHS believes that ensuring only authorized personnel have physical access to its electronic information systems will reduce the risk of physical access by malicious actors.
Consider Device and Media Controls
Covered entities and business associates should also consider device and media controls to help alert, respond and recover from security incidents and breaches. It is important to be able to accurately track and implement controls that will allow for the identification of any affected devices or media involved in an actual or suspected security breach. Having accurate controls in place will aid in your response to a breach.
HHS has provided the following example, if hackers were to gain access to an organization's network by exploiting an unknown vulnerability they could release malicious software via an electronic device or media. All healthcare organizations should have a robust and accurate inventory and tracking process that can identify how many devices or media are affected and where they are located. With this information, an organization should be able to make effective use of its resources and respond accordingly to an actual or suspected security incident or breach involving such devices or media.
What does this have to do with your Security Risk Analysis?
Your organization's policies and procedures, inventory forms, and other resources are all an important part of protecting PHI. This is one of the reasons we ask about these and other important considerations as part of our Security Risk Analysis. Healthcare Compliance Pros can help you reduce the risk of malicious actors or other actions, adversely affecting the confidentiality, integrity, or availability of PHI.
Are you interested in hearing more about our Security Risk Analysis? Please contact us by email: firstname.lastname@example.org or by phone: 855-427-0427.