As healthcare continues its transition into digital formats and the cloud, thus elevating the pressure of technical safeguards for all healthcare organizations. However, physical safeguards will continue to play a vital role protecting healthcare data against breaches. Through proper implementation and use of physical safeguards, healthcare organizations can reduce the risk of breaches. These methods presented by Sara Heath of Health IT Security are discussed below.
Proper PHI Disposal With healthcare organizations merging, shutting down, or transitioning to an EHR system, there are a lot of paper records with sensitive information to get rid of. According to the HIPAA Privacy Rule, acceptable methods for paper PHI disposal include burning, shredding, pulping, or pulverizing the records until they are unreadable. Improper disposal of paper records can have severe consequences For example, a defunct medical testing facility left paper records containing PHI for 170 individuals in a dumpster. According to the NWITimes.com, a local restaurant worker found the files in the dumpster and then contacted the media outlet. The paper files included such information as patient names, addresses, phone numbers, blood types, and credit card numbers with expiration dates and security codes. The files also included Social Security cards, driver’s licenses, health insurance cards, prescriptions for lab work, lab results, and medical diagnoses. All information that can be used by criminals to commit a multitude of crimes. After being contacted, the media company consulted with the Indiana Attorney General turned the paper records over.
Facility Security Healthcare facilities also need to ensure facility security to protect from potential thieves. Thieves love to target healthcare facilities because it is a perfect location for expensive medical devices. The thieves can steal the equipment to gain access to large amount of sensitive data or at the very least sell the equipment for a nice profit. Either way, the financial repercussions from the theft of these devices are significant in many ways. In October 2015, for example, a thumb drive was stolen from St. Luke’s Cornwall Hospital. The drive contained patient names, medical record numbers, dates of services, types of imaging services provided, and administrative information. Although St. Luke’s Cornwall Hospital did not disclose much information regarding their typical facility security measures, they may have potentially had gaps that allowed this breach to happen. By implementing proper security protocol, facilities can prevent device thefts such as this.
Access Controls Access controls, or the way a covered entity vets and controls who is viewing health information, are critical to implementing adequate physical safeguards. By restricting someone’s access, a healthcare organization can control for information falling into the wrong hands. Generally speaking, healthcare professionals should only access the minimum amount of patient information necessary in order to complete their care. For example, if a physician doesn’t need to know about a patient’s mental health, they should not be able to access their mental health records. Studies have shown that this is not always the case. In a Ponemon Institute study commissioned by Varonis Systems, Inc., researchers found that 56 percent of respondents felt their organizations only put a low to moderate priority on protecting company data. Additionally, 65 percent of providers reported having access to patient information that they do not need in order to fulfill their job duties. Experts believe that healthcare organizations will place a bigger emphasis on access control as healthcare breaches become more prevalent. “The damage can be greatly reduced by managing data access permissions, making sure employees only have access to the data they need to do their jobs, and by monitoring for unusual activity,” said Varonis co-founder and CEO Yaki Faitelson. As healthcare data breaches grow more prevalent, covered entities might find that attacks come in all forms. Despite the improvement in IT security, implementing proper physical safeguards remains a vital element in protecting your organization from breaches. Paubox is a provider of HIPAA compliant IT services. We help healthcare entities protect their emails and ensure the protection of PHI in transit and at rest through emails.