With data breaches on the rise, hospitals and health systems are tackling the challenge of protecting electronic patient health information as it moves to the cloud.
Providers that fail to secure ePHI in a private or public cloud run the risk of a data breach and subsequently potential damage to their brands, reputations and bottom lines. They likely will also find their names posted to HHS' list of breaches of unsecured protected health information affecting 500 or more individuals, a HITECH Act requirement. As of this writing, the so-called "wall of shame" displays 464 breaches at health facilities across the country, with new incidences added on a regular basis. Enterprises found to be in violation of HITECH rules could also face steep fines reaching as much as $1.5 million for failure to protect their ePHI.
Below are 10 steps that healthcare organizations can take to safeguard ePHI and ensure HIPAA and HITECH compliance as cloud computing evolves more fully into an industry mainstay.
1. Secure transmissions. One of the greatest points of security risk occurs when data is "in flight" from one provider to another via public or private cloud. Healthcare facilities should use a minimum of 128-bit encryption. Preferably, they should achieve advanced levels of AES 256-compliant encryption to safeguard sensitive data and the channel during transmission.
2. Perform annual risk assessments. Other highly regulated industries, like financial services, are required to conduct regular audits to ensure ongoing compliance. However, many healthcare organizations overlook this important step. With the growing adoption of cloud computing, organizations should consider hiring a third-party consultant to conduct thorough risk audits on an annual basis. These consultants can also implement ongoing monitoring tools to raise red flags instantly if potential security issues arise.
3. Enhance breach notification processes. Today, most breaches come to light when someone in the organization stumbles on one or more, or the media reports it as part of their headline-grabbing news stories. Only a small minority of facilities have sufficient breach-notification processes and alerting tools in place. That needs to change. Generally available monitoring software can instantly notify the appropriate security authorities immediately if or when a breach occurs.
4. Segregate data. In the event that systems are hacked or another security failure occurs, organizations must have additional layers of protection in place. Using control compliance tools, enterprises can isolate confidential data and store it in a scrambled or "garbage" format. That way, if hackers or other unauthorized persons get into the system, the data cannot be read in the original (or meaningful) format.
5. Implement user and session reporting. It's critically important to capture detailed data about users' logins and logouts, including time, number of successful and failed logins and the files accessed. HIPAA-compliant event or "sys log" tools can proactively monitor and analyze employee logins to EHRs and other systems to flag potentially unauthorized activities.
6. Beef up physical security. Besides virtual security, organizations must put controls in place to prevent physical breaches. Using SAS 70 Type II-compliant data centers can mitigate risk and ensure ePHI security. SAS 70 Type II compliance offers an extra level of security for video surveillance, access badges, biometrics and multiple layers of security authentication before access to ePHI is granted. Additionally, the multiple layers of authentication and access control provide the ability to audit, and audit logs should be reviewed routinely to identify unauthorized attempts and ensure that the appropriate security measures are in place. Last, these data centers are constructed to withstand natural disasters such as fires, hurricanes and earthquakes.
7. Establish clear access control policies. Health facilities should document and keep an up-to-date log of authorized insiders, including employees, providers and others who have access to ePHI. That way, security officials can quickly investigate if they suspect an insider was involved in a data breach.
8. Restrict areas where ePHI is stored. To provide extra layers of security, facilities should lock down servers and restrict areas where patient data is stored.
9. Adopt backup, disaster recovery and operational crisis plans. Encrypt all data stored in onsite locations as well as those backed up offsite. Take steps to ensure clear procedures and trained personnel are in place if a crisis or disaster occurs.
10. Protect data stored on a network. Many breaches occur when a single laptop is lost or stolen. Organizations can install security mechanisms to encrypt laptops and other devices should they fall into the wrong hands.
Because cloud computing offers countless benefits (e.g., process and cost efficiencies to providers) it's smart to stay ahead of the curve on data security. A strong security and compliance foundation can be achieved starting with these proactive 10 measures to help prevent malicious or inadvertent access to sensitive patient data.
Ali Rana is manager, implementation and integration services and client services for T-System, Inc. He can be reached at arana@tsystem.com or on Twitter as @AliRanaCS.
Risk Assessments – What's the Big Deal? Your Responsibilities If You Adopt Electronic Health Records
7 Ways to Minimize Data Breach Costs
Providers that fail to secure ePHI in a private or public cloud run the risk of a data breach and subsequently potential damage to their brands, reputations and bottom lines. They likely will also find their names posted to HHS' list of breaches of unsecured protected health information affecting 500 or more individuals, a HITECH Act requirement. As of this writing, the so-called "wall of shame" displays 464 breaches at health facilities across the country, with new incidences added on a regular basis. Enterprises found to be in violation of HITECH rules could also face steep fines reaching as much as $1.5 million for failure to protect their ePHI.
Below are 10 steps that healthcare organizations can take to safeguard ePHI and ensure HIPAA and HITECH compliance as cloud computing evolves more fully into an industry mainstay.
1. Secure transmissions. One of the greatest points of security risk occurs when data is "in flight" from one provider to another via public or private cloud. Healthcare facilities should use a minimum of 128-bit encryption. Preferably, they should achieve advanced levels of AES 256-compliant encryption to safeguard sensitive data and the channel during transmission.
2. Perform annual risk assessments. Other highly regulated industries, like financial services, are required to conduct regular audits to ensure ongoing compliance. However, many healthcare organizations overlook this important step. With the growing adoption of cloud computing, organizations should consider hiring a third-party consultant to conduct thorough risk audits on an annual basis. These consultants can also implement ongoing monitoring tools to raise red flags instantly if potential security issues arise.
3. Enhance breach notification processes. Today, most breaches come to light when someone in the organization stumbles on one or more, or the media reports it as part of their headline-grabbing news stories. Only a small minority of facilities have sufficient breach-notification processes and alerting tools in place. That needs to change. Generally available monitoring software can instantly notify the appropriate security authorities immediately if or when a breach occurs.
4. Segregate data. In the event that systems are hacked or another security failure occurs, organizations must have additional layers of protection in place. Using control compliance tools, enterprises can isolate confidential data and store it in a scrambled or "garbage" format. That way, if hackers or other unauthorized persons get into the system, the data cannot be read in the original (or meaningful) format.
5. Implement user and session reporting. It's critically important to capture detailed data about users' logins and logouts, including time, number of successful and failed logins and the files accessed. HIPAA-compliant event or "sys log" tools can proactively monitor and analyze employee logins to EHRs and other systems to flag potentially unauthorized activities.
6. Beef up physical security. Besides virtual security, organizations must put controls in place to prevent physical breaches. Using SAS 70 Type II-compliant data centers can mitigate risk and ensure ePHI security. SAS 70 Type II compliance offers an extra level of security for video surveillance, access badges, biometrics and multiple layers of security authentication before access to ePHI is granted. Additionally, the multiple layers of authentication and access control provide the ability to audit, and audit logs should be reviewed routinely to identify unauthorized attempts and ensure that the appropriate security measures are in place. Last, these data centers are constructed to withstand natural disasters such as fires, hurricanes and earthquakes.
7. Establish clear access control policies. Health facilities should document and keep an up-to-date log of authorized insiders, including employees, providers and others who have access to ePHI. That way, security officials can quickly investigate if they suspect an insider was involved in a data breach.
8. Restrict areas where ePHI is stored. To provide extra layers of security, facilities should lock down servers and restrict areas where patient data is stored.
9. Adopt backup, disaster recovery and operational crisis plans. Encrypt all data stored in onsite locations as well as those backed up offsite. Take steps to ensure clear procedures and trained personnel are in place if a crisis or disaster occurs.
10. Protect data stored on a network. Many breaches occur when a single laptop is lost or stolen. Organizations can install security mechanisms to encrypt laptops and other devices should they fall into the wrong hands.
Because cloud computing offers countless benefits (e.g., process and cost efficiencies to providers) it's smart to stay ahead of the curve on data security. A strong security and compliance foundation can be achieved starting with these proactive 10 measures to help prevent malicious or inadvertent access to sensitive patient data.
Ali Rana is manager, implementation and integration services and client services for T-System, Inc. He can be reached at arana@tsystem.com or on Twitter as @AliRanaCS.
More Articles on Data Security:
HIPAA/HITECH Risk Assessments: Are the Standards Being Met?Risk Assessments – What's the Big Deal? Your Responsibilities If You Adopt Electronic Health Records
7 Ways to Minimize Data Breach Costs