Cybersecurity needs to be a top priority for healthcare IT professionals. Not only does it create problems for healthcare organizations if a network is compromised, it can also lead to trouble with the U.S. federal government. Healthcare organizations deal with protected health information (PHI), which has specific security needs. PHI is sensitive data about patients, and HIPAA requires appropriate safeguards to ensure only authorized users have access to it.
Understanding HIPAA and how it relates to cybersecurity
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a law that protects patient rights and privacy. In terms of cybersecurity, Title II specifically established standards for PHI privacy and data security. HIPAA Title II covers how organizations can use PHI and sets the standard for necessary safeguards. It also discusses how HIPAA will be enforced if non-compliance is discovered. HIPAA violations can lead to significant fines and other costs.
Some of the most common HIPAA violations include:
- Unauthorized access to or disclosure of PHI
- Email or network breaches
- Theft of medical records
- Non-compliance business associates
- Successful email phishing attacks that lead to a data breach
Networks or emails that are hacked are one of the most common ways that HIPAA violations occur. But even if you don't get breached, not having the appropriate safeguards in place can also violate HIPAA. That's why it's imperative for IT professionals to ensure compliance with HIPAA.
Covered entities aren't the only organizations that need to follow HIPAA security standards. Third-party vendors that have access to, store or transmit PHI also need to comply with HIPAA. These vendors are known as business associates. They need to sign a business associate agreement (BAA) with covered entities to ensure that the vendor is following HIPAA security rules. HIPAA requires implementing safeguards to protect PHI. There are many ways to improve your cybersecurity and protect yourself against data breaches.
Here are some of the top cybersecurity tips.
Continual employee training
Employees are human, and they are prone to making mistakes. Human error is the cause of 95% of data breaches. Even if you have the highest security protection available, employees are still the weakest link in the cybersecurity chain. They are targeted by cybercriminals with phishing emails, display name spoofing attacks, and spam. Employee training is a necessity for raising awareness about cybersecurity issues.
Training should cover topics such as:
- Cybersecurity policies and procedures
- Safe use of electronic devices
- Physical, administrative, and technical safeguards
- Recognizing and blocking malicious emails
It's important that employees receive ongoing training on cybersecurity. Hackers are often changing their methods, and employees need to be updated on the latest security issues and how to prevent them.
READ MORE: How to ensure your employees aren't a threat to HIPAA compliance
HIPAA has left some covered entities confused about if email encryption is required. The Department of Health and Human Services (HHS) left some HIPAA security requirements vague to allow organizations to choose safeguards that are best suited to their needs. The encryption requirement is "addressable," which means it only needs to be implemented if a risk assessment determines that encryption is needed for managing risks to PHI. If PHI is transmitted electronically (like in an email), then it should be encrypted "whenever deemed appropriate." If covered entities determine that encryption is not the best course of action, they need to document their reasoning and implement an equivalent safeguard to protect PHI. However, there isn't an alternative safeguard that is as effective as encryption, which means email encryption is more or less de facto required.
READ MORE: How do I know when my HIPAA privacy obligation for email encryption ends?
Therefore covered entities usually leverage email encryption to meet HIPAA security standards. Paubox Email Suite enables you to send HIPAA compliant email by default so you can easily communicate with patients without needing patient portals.
READ MORE: Why email is better than patient portals
Ditch the fax
In a world filled with smartphones, it's surprising that 90% of covered entities still use fax machines. Faxing has many potential HIPAA compliance issues. For one thing, fax machines don't offer physical or technical safeguards. There's also the risk of tampering, human error, and equipment theft. HIPAA also requires maintaining at least six years of paperwork. If you are using fax machines, you may end up needing significant storage space. While some covered entities may transition to efaxing for HIPAA compliance (which uses the internet instead of a phone connection to send a fax), it may be time to upgrade your technology and go completely digital. Bottom line: Faxes can be HIPAA compliant, but email is often an easier and more secure communication method.
Two-factor authentication, also known as multi-factor authentication, is an extra layer of security protection. It makes an online user authenticate their identity twice before logging in. The first authentication method is usually login credentials like a username and password. The second authentication method can be something like answering security questions or entering a pin number you receive in a text message. Two-factor authentication has become best practice as passwords can easily be stolen by hackers. If hackers don't have access to the second authentication method, then they can't infiltrate an online account.
READ MORE: Increase online security with a robust password policy
Cybersecurity can't be an afterthought. It's dangerous for you and your patients to leave their sensitive data vulnerable to an attack. There are many software providers that can play a role in helping covered entities meet HIPAA security standards. Cybersecurity is constantly changing and enlisting business associates aids in your goal of having a secure network.