March 4, 2020
The role of technology in healthcare and patient access to healthcare data will continue to increase in prevalence in 2020. The rise in ransomware attacks, HIPAA enforcement, and the latest PCI standards for credit/debit card handling make it more crucial than ever to protect sensitive financial and health data. Forward-thinking healthcare organizations will do well to prioritize creating and executing a healthcare IT security strategy to protect their organization and their patients in the year ahead. We spoke with several healthcare data security experts we trust to get their top data security tips for healthcare organizations.
Kevin Goodman, Managing Director at BlueBridge Networks: We selected BlueBridge to host our PCG and Data Conversion servers and associated security infrastructure due to their extensive experience and reputation with hospitals and healthcare entities.
Jeff Keiser, President at Keiser Computers: Keiser Computer’s Drs Enterprise is a key integrator of practice management systems with 22 years of experience providing security guidance to a variety of healthcare clients.
Gary Pritts, Founder and President at Eagle Consulting Partners: Eagle Consulting Partners is a HiTrust CSF certified consulting firm that has helped healthcare organizations achieve better quality, revenue, and care through consulting, compliance, IT, and management-related expertise.
Leonard Hamer, CEO at Physician Select Management: Physician Select Management is a HiTrust CSF certified eClinicalWorks SaaS implementation company and records hosting company with more than 20 years of experience.
All four experts agree that auditing your current security measures, implementing multi-layer defenses against data breaches, training your staff on the importance of protecting PHI (Protected Health Information), and avoiding ransomware attacks are top security priorities for the year ahead.
The foundation of success in achieving your security resolutions will be developing a strong partnership with an IT vendor who understands what’s at stake and specializes in healthcare clients. What follows are some of the experts’ specific suggestions:
A thorough risk assessment is one of the best investments you can make to protect your healthcare organization. A broad assessment will take a look at the gaps and controls in your security coverage. Although HIPAA regulations have been in place since 1996, their scope has continually evolved, and the regulations are becoming increasingly enforceable. A study by HIPAAJournal.com found that 2018 was a record year for HIPAA enforcement and that the trend continued in 2019. The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) ramped up enforcement related to patient access rights, egregious cases of non-compliance, and organizations with a culture of noncompliance (i.e. healthcare providers that don’t conduct comprehensive risk analyses, organizations with poor risk management practices, and those lacking HIPAA policies and procedures, etc.).
What will the coming year bring? In 2020, the OCR will focus on ensuring healthcare organizations have “reasonably appropriate” protections in place to secure patient PHI and to prevent a healthcare data breach. Primary areas of concern in 2020 include patient access to medical information, cyber security, business associate agreements, and risk analysis.
Key areas to focus on improving include:
All security experts we spoke with were concerned by the rampant ransomware attacks effecting healthcare organizations. In 2019, the U.S. was hit by an unprecedented barrage of ransomware attacks with healthcare being one of the hardest-hit industries. At least 764 healthcare practices (large and small) were hit by a ransomware attack that kept them from accessing critical patient records and encrypted their backup systems. In some cases, these attacks caused the facilities to pay to regain access to their encrypted systems, temporarily stop accepting patients, and completely lose access to their data for days or weeks.
To protect your organization’s data experts suggest:
Education is your best defense against security threats. Whether you are transitioning systems, communicating with patients, or simply handling day-to-day administrative tasks, security vulnerabilities present themselves frequently. Unfortunately, it only takes something as simple as clicking on a phishing email, failing to notice suspicious activity, or being unknowingly careless with sensitive data to put your facility at risk for a serious data breach. That is why investing in “cyber hygiene training” for your clinicians and staff is one of the most worthwhile investments you can make this year. You probably don’t question whether your machines need an electronic firewall. Consider your staff your “human firewall,” and ensure they are well-equipped to protect your PHI.
A few things to look for in a training system:
Fortunately, there are many resources available to help your organization become more HIPAA/PCI compliant and prevent ransomware attacks. We suggest working with a security partner such as BlueBridge Networks or Eagle Consulting to help you audit your compliance and implement a multi-layer defense system. Most likely your local IT resource will not be qualified in this specific specialty, but may be able to recommend a resource. Practices should seek a company with extensive experience and reputation with hospitals and healthcare organizations, and be sure to speak with their reference practices. Additionally, always ask for a sample report for a security audit to ensure the audit looks not only at security controls but also at business and insurance implications at your facility.
The experts we spoke with say that there are many security training solutions ranging from free resources to high-end solutions. They suggest HIPAASecureNow.com, Proofpoint, and KnowBe4 for HIPAA compliance auditing and training resources. They rely on these tools for their clients because they have up-to-date, thorough, easy-to-implement resources to train your entire staff. Whether these, or similar tools, ongoing and up-to-date training on relevant healthcare topics is critical.
Healthcare IT security experts agree that auditing your current security measures, implementing multi-layer defenses against data breaches, and training your staff on identifying and preventing data breaches are the best things you can do to protect your healthcare facility and the patients you serve. Data security can be overwhelming, but working with an experienced IT vendor with healthcare expertise will help simplify the process and help protect your organization.