EIGHT TIPS FOR SECURING YOUR ePHI Thomas Saine, CISSP Chief Information Officer

spok.com

INTRODUCTION Communications have changed drastically since the HIPAA Privacy Rule (1996) and HIPAA Security Rule (2003) first went into effect. While many of those communication changes have brought more efficient and effective patient care, they also create issues in safeguarding electronic protected health information (ePHI). A breach of ePHI can be costly, not only in terms of reputation, but also from hefty fines. The following tips are designed to keep you thinking about ePHI and what your organization should be doing to stay compliant.

1 KNOW THE RULES If you send or receive ePHI, you must have a plan in place to secure the data while it’s in your possession and while it’s in transit among providers, partners, and others involved in patient care and administration. Security measures and solutions must be appropriate for the organization, decisions must be documented and analyzed (including rationale), and security measures must be periodically reviewed and updated. TAKE ACTION: When was the last time you reviewed the security plan as it pertains to ePHI? If you don’t know the answer, the time is now.

2 KNOW YOUR RISKS Encryption is the easiest way to safeguard ePHI from prying eyes and security breaches, but first you must understand where sensitive patient data is stored in your organization and how it’s transmitted. The IT department should be aware of many of the puzzle pieces, such as mobile devices that can be lost or stolen, and overall network security. But they may not have all sources of risk top of mind. For example, medical devices (such as medication dispensing systems and dialysis machines) that can store and transmit patient information often are overlooked. TAKE ACTION: Consider hiring a security consultant to help identify the ePHI pressure points within your organization. They can help you understand your risks and work with you to develop a blueprint for success to minimize these risks effectively.

2

33 AVOID POTENTIAL TRAPS Protected health data should be stored on secure servers or in a secure cloud environment. Access to the data should be restricted to authorized users, and storage vendors need to adhere to the same HIPAA privacy and security rules that your organization does with a business associate agreement (BAA). TAKE ACTION: Is your organization still using thumb drives or other portable media to transport information? Misplaced items such as these are often the source of breaches. Many organizations have banned their use, while others have instituted encryption and rigid rules designed to keep track of these devices.

4 FOCUS ON MOBILE, BRING YOUR OWN DEVICE (BYOD) STRATEGIES Healthcare providers using smartphones can be seen as often as providers using stethoscopes these days. But smartphones and other mobile devices must be part of your organization’s data protection strategy. Many organizations rely on mobile device management (MDM) solutions to safeguard the unauthorized transmission of ePHI while supporting the desire of workers to use the mobile devices they are comfortable with and prefer. TAKE ACTION: Restricting user access to sensitive data and networks by adding a secure MDM solution is a smart way to manage mobile devices within a BYOD environment.

3

5

ENFORCE SECURE COMMUNICATIONS Any texting that occurs among providers regarding patients must be encrypted, which is why more health systems are exploring secure texting options. Yet secure texting should be just one part of a critical communications strategy that supports mobile clinical workflows. In addition to security, the ability to get the right information (alerts, alarms, notifications, and messages) to the appropriate caregiver at the right time is of vital importance. TAKE ACTION: A comprehensive approach to secure, mobile communications should address more than just security. How do providers locate c