[author: Mike Ogden] Show Given the choice between credit card data and digital health records, cybercriminals prefer the latter. A stolen credit card can be canceled. Electronic protected health information (ePHI) with its treasure-trove of personally identifiable information offers a higher value on the Dark Web. HIPAA compliance, specifically its Security Rule, establishes standards for protecting individuals’ electronic personal health information and provides administrative, physical, and technical safeguards. HIPAA's Security Rule dovetails nicely with IT security best practices. Former Acting Deputy Director for HIPAA at the Department of Health and Human Services (HHS), Iliana L. Peters, shares four ways to protect data security and patient safety that go beyond check-the-box HIPAA compliance. 1. Perform a risk analysisof HIPAA-protected data
A risk analysis should identify all ePHI created, maintained, received, or transmitted, regardless if the data travels inside or outside the organization. According to Peters, the risk analysis might also uncover the absence of business associate agreements. It’s a frequent flashpoint for OCR settlements. Many HIPAA violations come from a failure to have business associate agreements in place to govern the handling of personal health information.
2. Defense is the best offense to protect ePHI Patient records can be sold for $1000 on the dark web, so it’s no surprise healthcare organizations and business associates with ePHI are the target of choice for cybercriminals. Given the value and volume of their data, healthcare organizations are especially vulnerable to phishing attempts and ransomware attacks. If you know where ePHI is vulnerable, you can take steps to address with IT defensive measures. Many ransomware incidents occur when IT systems go without updating. The best defense against ransomware is a multi-pronged approach: regular patching, backup system and recovery strategy. Nobody wants to pay a ransom. Peters stressed the importance of software patching and maintaining a patching schedule. Regular software updates help address security flaws favored by hackers. Time and resources should be built into the budget for recurring security updates and cybersecurity training. Employee training, such as simulated phishing attacks, is a critical part of defensive ePHI data security. FTC's Start with Security and OCR's YouTube channel are also good resources to check out. 3. Address insider threatsand unauthorized access Healthcare also has an insider threat challenge, which Peters refers to as “employee snooping.” Whether it’s out of curiosity or for illicit gain, individuals without authorization gain access to patient data. It’s not just inappropriate access that could result in a HIPAA violation. The act could lead to criminal activity and capture the attention of state attorney generals. All current employees should attest to company policy and made aware of what leads to a HIPAA violation.
One of the biggest risks of insider threat is when employees leave while retaining access to ePHI data for days or even weeks. To prevent employees accidentally or maliciously accessing data, check the controls, policies, and procedures that govern employee access to patient data. Since departing employees present a security risk, their access should be terminated immediately upon surrendering credentials. 4. Perform comprehensive, enterprise-wide risk management In addition to a targeted assessment, Peters suggests that healthcare organizations use technology to perform comprehensive, enterprise-wide risk management. She also recommends outside counsel and cyber insurance for post-incident forensic investigations. Since the majority of settlements from the Office for Civil Rights stem from risk management, protecting ePHI data should be an organizational priority. Risk management initiatives should include stakeholders in compliance, legal, and IT departments, with regular updates to department heads and the board. HIPAA compliance demands record-keeping and accountability. The best way to protect an increasing volume of patient healthcare data is a central location for controls, policies, procedures, and documents like business associate agreements, in addition to following IT security best practices and robust employee training. We just scratched the surface here with the importance of risk analysis, access control, cybersecurity training and comprehensive, enterprise-wide risk management. How can I protect my ePHI?Options for Protecting ePHI. Password-Protect Microsoft Word Files.. Encryption Using a "Public-Private Key" Option.. Encryption Using "Symmetric Key" Option.. Secure Web Sites.. Virtual Private Networks (VPNs). Is ePHI protected under HIPAA?The Security Rule protects a subset of information covered by the Privacy Rule, which is all individually identifiable health information a covered entity creates, receives, maintains or transmits in electronic form. The Security Rule calls this information "electronic protected health information" (e-PHI).
What is the greatest protection of ePHI?Identify Where ePHI is Stored
One of the most important components of protecting ePHI is documenting where all ePHI is stored. Data Loss Prevention (DLP) solutions can be used to discover ePHI across the organization as well as enforce rules and policies to prevent data loss and data leakage.
Which safeguards should be used to protect ePHI?The Technical Safeguards standards apply to all EPHI. The Rule requires a covered entity to comply with the Technical Safeguards standards and provides the flexibility to covered entities to determine which technical security measures will be implemented.
|
To better protect ePHI in accordance with HIPAAs Security Rule, which is true
zusammenhängende Posts
Urheberrechte © © 2024 toptenid.com Inc.
