All healthcare providers tasked with electronically transmitting patient protected health information (PHI) must comply with the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule. It is what allows the use of data vital to health decisions while ensuring the privacy of an individual’s healthcare information.
Despite the punishments laid out by the federal government for those who violate the rule, we see headlines everyday referencing data breaches of healthcare providers.
There were 32 million breaches of patient health records in the first half of 2019 alone, totaling 285 separate incidents. And, 88 percent of those, equaling 27.8 million records, were the result of hacking.
Significant breach incidents
American Medical Collection Agency
The largest of those breaches was at the American Medical Collection Agency. Even collection agencies fall under the umbrella of the rule since they receive private information from patients.
Lax security and compliance policies allowed hackers to compromise their systems from April 2018 until March 2019, when the breach was discovered.
Thieves got away with information from major clients like LabCorp, Quest Diagnostics, and Sunrise Laboratories. The resulting fallout led the company to file for bankruptcy protection.
While eight months may seem like a long time for a data breach to go undetected, that pales in comparison to nine years. That is how long it took Dominion National, an insurer and health plan administrator, to realize they were under attack.
The earliest detected breach of their systems occurred back in 2010. An investigation that concluded on April 24, 2019 revealed that nearly 2.9 million patients were impacted.
How to increase data storage security in healthcare
How can other healthcare organizations prevent themselves from being the next high-profile headline? Here are practical steps businesses can take:
1. Build a culture of compliance
Organizations should have a member of senior management serve as a compliance officer. They should create a board whose primary responsibility is overseeing each area of the organization when it comes to adhering to HIPAA compliance rules. They should ideally coordinate with the IT department to evaluate the company’s current security architecture.
Your technology team should ensure that networks and other areas are monitored, and that clear alerts are sent out when a breach is detected. It is also a good idea to develop easily accessible compliance policies and procedures that include expected standards of conduct. They can potentially be transformed into business rules and monitored using automation.
Compliance procedures should ensure timely updates of all HIPAA-related documentation whenever there is a change that affects the handling of electronic PHI.
2. Implement workforce training
Server weaknesses are not the only way hackers end up obtaining PHI. They make frequent attempts to gain information from unaware company personnel. Those attempts can include:
- Sending emails with links to fraudulent websites
- Monitoring their social media activity for clues on passwords and other security information
- Spoofing emails from other executives to obtain sensitive data.
Businesses should implement in-person and online training that shows workers how to recognize these attempts. Emphasis should be placed on the importance of each employee’s role in keeping PHI safe and protecting patients and other health partners from exploitation.
3. Establish technical safeguards
One of the conveniences offered by the modern workplace is allowing employees to use personal devices at work. Every company should establish a mobile device policy that governs their use. This policy should include how these devices can interact with company systems, networks, allowed app downloads, and data storage guidelines. The same level of security should apply to user workstations and media used to transfer data back and forth.
Healthcare organizations should also create and enforce access control policies that allow only authorized personnel to access PHI. Other technical safeguards should include:
- Audit controls for all hardware and software used within the company
- Integrity controls protecting PHI from being changed or destroyed without permission
- Security around the transmission of PHI over electronic networks
- Contracts with all business associates that establish how they should handle any PHI sent electronically
Redapt can help healthcare organizations build secure data storage platforms that keep them compliant when it comes to protecting electronic PHI under HIPAA. Learn more about what it takes to build a modern data storage solution by downloading our latest white paper: A Strategic Approach to Data Storage.
Keep up with Redapt
- Enterprise Infrastructure
- Data & Analytics
- Cloud Adoption
- Cloud Native
- Workplace Modernization
- Application Modernization
- Google Cloud Platform (GCP)
- Multi-Cloud Operations
- Tech We Like
- Security & Governance
- Dell EMC
- IoT and Edge
- Business Transformation
- Managed Services
- Microsoft Azure
- Emerging Tech
- Google Resale