Table of Contents
If you’re a healthcare organization 2021 was a pretty bad year, and that’s not just pandemic-speak. It was the worst year to date for healthcare breaches. 45 million records were exposed or stolen in 713 major breaches. 2022 is on a mission to break the record. The Department of Human & Health Services’ (HHS) infamous Wall of Shame notes that 20 million patient records have been exposed in healthcare breaches in 2022. Healthcare records are so lucrative that they account for 95% of all identity theft cases and are worth 25 times as much as a credit card. With hackers at your heel, it is increasingly difficult (and imperative), to secure your valuable Electronic Protected Health Information (ePHI). In this blog, we lay out 5 aspects to comprehensively protect your ePHI both from a breach and after a breach. A 5-Step ePHI data security plan. Protect EPHI data!
5 Steps to Protect your ePHI Data
Step #1 ePHI Data Security Plan => Assess: Risk Assessment and Incident Planning
The Health Insurance Portability and Accountability Act (HIPAA) Security Rule mandates that all “covered entities” aka health care providers conduct a periodic risk analysis to assess the ePHI their organization creates, transmits, or stores. The first step to protecting your ePHI data is assessing the risks and setting up an incident response plan.
- Risk Assessment: A thorough, yearly risk assessment will give you a clear picture of your IT infrastructure, data landscape, corporate changes, staff turnover, the latest vulnerabilities and malware/ransomware types. You’ll want to consider everything from technical risks like system or software vulnerabilities to non-technical risks like user error or social engineering. It should also outline the movement of your ePHI and its transitions between providers, payers and patients. A good start to formulate your risk assessment plan is HHS’ security risk assessment tool.
- Incident Response Planning: With a clear overview of flow of data, you can then work on creating an Incident Response Plan that outlines the steps to take should a breach occur (Check out a 5-Step Ransomware Response Plan). This plan should be reviewed and updated regularly to ensure it’s up-to-date with the latest threats.
Step #2 ePHI Data Security Plan => Protect: Encrypt, Secure, Train, Audit
Now that you know where your ePHI is and how it flows, you can start to put security controls in place to protect your ePHI data.
- Robust Encryption: The first step is encryption which renders data unreadable and unusable to unauthorized individuals. This is the most effective way to protect PHI as even if a hacker manages to gain access to your systems, they won’t be able to make sense of the data. All ePHI in-transit and at-rest should be encrypted, whether it’s stored on servers, laptops, mobile devices or backups.
- Secure Data and Endpoints: Create a culture where ePHI is respected and data security is seen as an organizational responsibility. Get buy-in from a cross-functional team on a set of security objectives so that everyone understands the importance of critical applications and securing sensitive data sets. Build a software ethos of “data privacy by design”. Protect your data with a reliable backup that utilizes offsite/cloud-based storage. Conduct regular backup and recovery testing of both your backup application and processes. You’ll also want to secure remote access to your systems with a Virtual Private Network (VPN) which creates a protected, encrypted tunnel between an authorized user and your network. Multi-factor authentication (MFA) is another strong measure to take as it requires users