Healthcare organizations can use these 5 strategies to secure electronic protected health information (ePHI).
What is ePHI?
Electronic protected health information (ePHI) is sensitive, private information that’s important to keep safe and secure. In order for health data to be considered protected health information and regulated by HIPAA compliance it needs to be two things:
1. Personally identifiable to the patient
2. Created, used, or disclosed on behalf of a covered entity during the course of care
Cybersecurity breaches hit an all-time high last year, exposing a record amount of patient data. The number of individuals affected by healthcare data breaches has tripled in the last three years, making the protection of PHI more important and more difficult than ever.
Making sure ePHI is protected helps to ensure patient privacy and is the purpose of the HIPAA security rule that was established by the U.S. Department of Health and Human services (HHS). The security rule defines what information is protected and what safeguards need to be in place to ensure appropriate protection of ePHI. The ePHI that a covered entity or business associate creates, receives, maintains, or transmits must be protected against reasonably anticipated threats, hazards, and impermissible uses and/or disclosures.
The Security Rule requires covered entities to maintain reasonable and appropriate administrative, technical, and physical safeguards for protecting ePHI.
Below are five of the most critical strategies covered in the HIPAA security rule that you need to have in place to protect ePHI so unauthorized users won’t be able to access confidential, personal information.
Make Security Awareness Training a Priority
The first step covered entities and business associates should take to properly secure patient health information is educating your staff on what ePHI is and how to protect it. In 2021, the use of stolen credentials, phishing, misuse, or human error accounted for 82% of data breaches according to Verizon's annual data breach report.
Having your staff take security awareness training is the first step to learning about how to protect ePHI. These trainings will educate them on current threats and their role in securing identifiable health-related information. In addition, conducting ongoing phishing simulations will allow organizations to measure how well their training is working.
Identify Where ePHI is Stored
One of the most important components of protecting ePHI is documenting where all ePHI is stored. Data Loss Prevention (DLP) solutions can be used to discover ePHI across the organization as well as enforce rules and policies to prevent data loss and data leakage. Taking an inventory of all network hardware as well as all web applications that store company data will help make sure that all sensitive data is accounted for. Data classification can also be helpful in identifying sensitive data moving forward.
Enforce Strict Access Control Policies
Enforcing access control policies is critical. Employees of your company should have the minimum level of access to ePHI that they need to do their job. Any unnecessary patient records that they have access to is a violation of the HIPAA security rule and poses an unnecessary risk to your organization.
Requiring a unique ID and complex password for each user is important so your account stays secure. When generating passwords, you should never use the same password on multiple accounts. If one account gets hacked and the user credentials are compromised, you have to assume the credentials will be sold on the dark web. This can be extremely dangerous if these credentials allow someone with malicious intent to access other accounts that contain ePHI. Implementing multi-factor authentication for any sites that contains ePHI is one of the most important security measures that you can put in place to protect against unauthorized access.
Regular log monitoring will help you to detect unauthorized access or suspicious activity on your accounts quickly. Once you realize there’s suspicious activity, you can take action immediately, which will prevent the breach from going unnoticed for an extended period of time.
Having system inactivity timers enforced will prevent unauthorized users from viewing ePHI when a user walks away from their computer or forgets to sign out of an account. The timer will log the user off automatically after a specific period of inactivity.
It's extremely important that employees who have access to ePHI are held accountable by having them sign the company Workstation Use and Sanction policies which define how patient information is to be used and consequences for violating the established policies. Access control management and holding employees accountable for the use and disclosure of ePHI will reduce the risk of private information getting into the wrong hands.
Implement On-Premise and Offsite Data Backup Solution
Most organizations realize the importance of an onsite image backup, but in today’s environment air gapping is critical. Air gapping is an advanced data protection measure that isolates the backup from the production environment and keeps it secure from ransomware or any other disaster effecting the production environment. Offsite backup replication is critical as it allows data to be restored in the event of a disaster involving the on-premise environment. Verifying backup integrity daily will assure data can be restored if necessary.
Backing up web applications is something many organizations don’t think about which is concerning since web application attacks are one of the top causes of healthcare data breaches in 2022. Making sure that all applications that contain ePHI are backed up and recoverable is essential.
HIPAA compliance requires organizations to document disaster recovery and business continuity plans to assure patient information can always be accessed when needed. Making sure that this is done will make the recovery process much easier in the event of a disaster because everyone will know the exact strategy to follow.
Build a Resilient Infrastructure
Full-disk encryption is critical to protecting ePHI. Encryption will make the data that’s saved on a computer or portable device impossible to view if the device is lost or stolen as it requires the exact encryption key for the data to be accessible. In fact, if a device is encrypted and is then lost or stolen, it's not considered a data breach under HIPAA regulations.
Using a supported operating system and applying security patches on a timely basis is critical. If your system hasn’t updated or it’s missing important security updates, the sensitive information will become vulnerable.
Malware is a term that refers to viruses and other harmful programs that cybercriminals use to gain access to private information. In order to confirm that ePHI is secure, your organization must form an IT infrastructure that protects all employee devices from malware by installing a next-gen anti malware software that detects and isolates malware on the spot.
Setting up advanced, next generation firewalls with intrusion prevention enabled as well as implementing network segmentation are critical in order to block hacker’s attempts to gain access to the network and minimize damage in the event they are successful.
Disposing of hard drives properly will make sure private information doesn’t get into the wrong hands. All personally identifiable health information must be erased or the hard drive must be destroyed before it's discarded. For compliance purposes, be sure to get a certificate of destruction from the vendor that does your hard destruction.
DNS layer security is essential in preventing infiltration and exfiltration attempts. It blocks requests over any port or protocol where domains and other internet infrastructures are staged. This stops malware attacks sooner and it will prevent callbacks to attackers if infected machines connect to your network.
Implementing secure remote access is critical as more and more users are working remotely. Solutions such as Citrix and TruGrid are excellent choices for securing access to company resources remotely.
Having a business class email solution and adding encryption capability, as well as advanced threat protection is a must. The majority of ransomware attacks are delivered through email, and making sure that you've implemented sufficient email security layers is extremely important.
Protecting ePHI requires you to implement a multi-layered strategy that includes all of the security measures listed above. With data breaches at an all time high, it's important that you implement the necessary safeguards to ensure that you're doing everything possible to keep ePHI secure.
Are you doing enough to protect ePHI?
Need help with protecting your ePHI, HIPAA compliance, or conducting a Security Risk Analysis? Call Intellisuite at 877-843-5767, or request a call from one of our experts:
U.S. Department of Health and Human Services
Verizon 2022 Data Breach Investigations Report