Chief Information Officer ... electronic protected health information (ePHI). .... storage of patient data has evolved s
EIGHT TIPS FOR SECURING YOUR ePHI Thomas Saine, CISSP Chief Information Officer
spok.com
INTRODUCTION Communications have changed drastically since the HIPAA Privacy Rule (1996) and HIPAA Security Rule (2003) first went into effect. While many of those communication changes have brought more efficient and effective patient care, they also create issues in safeguarding electronic protected health information (ePHI). A breach of ePHI can be costly, not only in terms of reputation, but also from hefty fines. The following tips are designed to keep you thinking about ePHI and what your organization should be doing to stay compliant.
1 KNOW THE RULES If you send or receive ePHI, you must have a plan in place to secure the data while it’s in your possession and while it’s in transit among providers, partners, and others involved in patient care and administration. Security measures and solutions must be appropriate for the organization, decisions must be documented and analyzed (including rationale), and security measures must be periodically reviewed and updated. TAKE ACTION: When was the last time you reviewed the security plan as it pertains to ePHI? If you don’t know the answer, the time is now.
2 KNOW YOUR RISKS Encryption is the easiest way to safeguard ePHI from prying eyes and security breaches, but first you must understand where sensitive patient data is stored in your organization and how it’s transmitted. The IT department should be aware of many of the puzzle pieces, such as mobile devices that can be lost or stolen, and overall network security. But they may not have all sources of risk top of mind. For example, medical devices (such as medication dispensing systems and dialysis machines) that can store and transmit patient information often are overlooked. TAKE ACTION: Consider hiring a security consultant to help identify the ePHI pressure points within your organization. They can help you understand your risks and work with you to develop a blueprint for success to minimize these risks effectively.
2
33 AVOID POTENTIAL TRAPS Protected health data should be stored on secure servers or in a secure cloud environment. Access to the data should be restricted to authorized users, and storage vendors need to adhere to the same HIPAA privacy and security rules that your organization does with a business associate agreement (BAA). TAKE ACTION: Is your organization still using thumb drives or other portable media to transport information? Misplaced items such as these are often the source of breaches. Many organizations have banned their use, while others have instituted encryption and rigid rules designed to keep track of these devices.
4 FOCUS ON MOBILE, BRING YOUR OWN DEVICE (BYOD) STRATEGIES Healthcare providers using smartphones can be seen as often as providers using stethoscopes these days. But smartphones and other mobile devices must be part of your organization’s data protection strategy. Many organizations rely on mobile device management (MDM) solutions to safeguard the unauthorized transmission of ePHI while supporting the desire of workers to use the mobile devices they are comfortable with and prefer. TAKE ACTION: Restricting user access to sensitive data and networks by adding a secure MDM solution is a smart way to manage mobile devices within a BYOD environment.
3
5
ENFORCE SECURE COMMUNICATIONS Any texting that occurs among providers regarding patients must be encrypted, which is why more health systems are exploring secure texting options. Yet secure texting should be just one part of a critical communications strategy that supports mobile clinical workflows. In addition to security, the ability to get the right information (alerts, alarms, notifications, and messages) to the appropriate caregiver at the right time is of vital importance. TAKE ACTION: A comprehensive approach to secure, mobile communications should address more than just security. How do providers locate colleagues for care coordination? Do they have easy access to an online directory and up-to-date on-call schedules?
6
CONTROL ACCESS The availability of patient information should be restricted to clinicians and staff who need that information to do their jobs and provide proper patient care. This will help reduce inappropriate and unnecessary access. Even for people with approved access, the devices used to send/receive sensitive data can pose a security threat if they are lost or stolen, or that person leaves the organization with data still on a personal device. These instances point to the need to be able to remotely wipe sensitive data, an advantage of MDM solutions and other applications designed for security (such as HIPAA-compliant texting apps). TAKE ACTION: Does your organization have a comprehensive mobility strategy to track devices and address these types of situations? In addition to assessing overall workflows for optimal improvements, good mobility strategies also include access control and remote wiping.
4
EBRIEF Planning a mobility strategy? See the definitive guide for tips and ideas.
DOWNLOAD NOW »
“We will enforce the change
7
TRAIN, THEN ENFORCE
Read the Advance
by restricting system access. If staff want to access the UHS systems and email via mobile device, then they will have to do so through the secure product – they won't be allowed to play outside our secure environment.”
Human error is a major cause of Health Network breaches, underscoring the importance article to learn of training on HIPAA, proper use of how one CIO is ePHI, and the potential ramifications approaching of a breach. Each user should have a ePHI security for unique, authenticated identity to access BYOD at his hospital. Bill Phillips patient information, and passwords READ NOW» Senior Vice President and should be changed frequently. Your Chief Operating Officer secure communications protocols should University Health System (UHS) include auditing functions to monitor proper use and trace the source of any breaches. The ability to use security protocols such as MDM and secure texting solutions should be offered as an alternative to unsecured means of communications. Enforcement is key. TAKE ACTION: To enforce security policies, limit accessibility of internal networks, email, and patient information to only approved devices or through secure portals on BYOD devices (such as through an MDM solution).
8
RECOGNIZE YOUR PROGRESS, BUT KEEP AT IT Safeguarding ePHI isn’t a one-and-done proposition. Your security plans should be reviewed periodically and updated as necessary. Monitor audit reports and have a contingency plan in place to ensure that ePHI is backed up, secure, and can be recovered in the event of an emergency. And have a plan in place to handle the necessary communications and tasks in the event a breach does occur. TAKE ACTION: Managing ePHI, devices, servers, and the policies that govern their use can be a monumental task. An experienced security consultant can help your organization assess, evaluate, and modify security plans, as well as make recommendations about other products or services that can help.
CONCLUSION HIPAA has been in place for nearly two decades, but it is anything but static. The transmission and storage of patient data has evolved significantly, as has the technology supporting care-related communications. When set against other industry changes such as Meaningful Use and ICD-10, focusing on safeguarding ePHI may feel like a low priority. However, the proliferation of mobile devices, BYOD, and the ever-rising costs and reputational risk from data breaches require this issue to remain front and center. Your organization should have a comprehensive secure communications plan in place to protect the data of your patients while still supporting efficient workflows and timely care coordination. Designing a full mobility strategy and implementing the pieces is a large undertaking. A qualified critical communications provider well-versed in the industry can help you craft a solution that meets your needs and helps you secure your ePHI. In this way you are well armed to protect both your patients and the sensitive information in your care. 5
ABOUT THOMAS SAINE Saine has been the Chief Information Officer of Spok since August 2008 providing executive leadership for the company’s Information Technology and Wireless Messaging Network teams. He is a Certified Information Systems Security Professional (CISSP), which is an industryrespected vendor-neutral certification for proven, deep technical and managerial competence in information security programs and in protection against sophisticated security attacks. Prior to his current position, he was the Chief Technology Officer at Spok, and he has held senior technology leadership positions with Northrop Grumman Corporation, WebLink Wireless, and MobileComm. Saine has more than 25 years of operations, engineering and technology management experience. He currently serves on the Board of Spok Canada, Inc. (formally GTES, Inc.). He has a Masters of Science in Engineering Management from Columbus University and a Bachelor of Science in Management from California Coast University. Learn more about CISSP credentials.
SM
ABOUT SPOK, INC.
Spok, Inc., a wholly owned subsidiary of Spok Holdings, Inc. (NASDAQ: SPOK), headquartered in Springfield, Va., is proud to be a leader in critical communications for healthcare, government, public safety, and other industries. We deliver smart, reliable solutions to help protect the health, well-being, and safety of people around the globe. Organizations worldwide rely on Spok for workflow improvement, secure texting, paging services, contact center optimization, and public safety response. When communications matter, Spok delivers.
spok.com © Spok, Inc. 2015 All Rights Reserved. Spok is a trademark of Spok Holdings, Inc. Other names and trademarks may be the property of their respective owners.
