Securing patients’ protected health information (PHI) is of paramount importance to limiting your financial risk based on the safeguards, and penalties, contained within the Health Insurance Portability and Accountability Act (HIPAA) of 1996 and related amendments.
Yet many health care organizations are at significant risk of PHI-related security breaches. An overwhelming majority – 94% – of health care organizations admitted to at least one breach of their PHI within the past two years, according to Larry Boettger, senior solutions architect with VIMRO, a security and networking solutions firm based in Baltimore, Md., who spoke at NAIRO’s Educational Symposium in late 2015.
In the face of a breach, health care organizations suffer potentially devastating financial consequences. For instance, a national insurer was recently hit with a $1.7 million fine for not securing access to an online database, and a Massachusetts ear and eye clinic was fined $1.5 million for a breach to its data. These are just two examples of many.
“The number-one problem everyone has is that they don’t have enough resources,” says Boettger, referring to personnel and financial shortfalls for many organizations seeking greater HIPAA security.
Adding to the pervasive issue of strained resources, Boettger highlights the top 10 leading causes of poor HIPAA compliance:
- Missing patches for operating systems and applications. Without the latest security updates to both your operating system and application software, you’re placing yourself at unnecessary risk. Ideally, “patching needs to be automated,” advises Boettger. “Make sure you have the latest system and application updates installed.”
- Failure to monitor and detect sensitive data loss (data exfiltration). This process can be automated, too, explains Boettger. The fact is, if your data gets breached you want to be the first one to know about it.
- Weak passwords. This is a simple one; beef up your passwords with a combination of lower case and upper case letters, numbers and symbols. Or switch to a system that uses “multifactor authentication” requirements to log in, advises Boettger.
- Lack of logs and audit trails than can conduct forensics to identify and respond to a breach. Similar to an organization’s failure to monitor a data breach, a lack of “threat intelligence” can doom you, says Boettger.
- Some applications have deficiencies in coding, which can lead to a breach. Ask your resident IT expert to double check the security of a given application.
- Lack of security validation for new systems. You can boost your security compliance if you “validate that systems are configured securely,” explains Boettger. For example, make sure your electronic health record (EHR) system is up to snuff with a thorough round of vulnerability and penetration testing.
- Missing or outdated anti-malware technology. While anti-malware gets knocked for being an incomplete solution, “it’s still necessary,” says Boettger. For the best outcomes, centralize your anti-malware updates instead of relying on individual practitioners to update their own computers.
- No encryption of sensitive information in transit. When you send an email or share files, make sure you’re using encryption mechanisms for greater security.
- Lack of trained staff to maintain security controls. While many organizations face a budget crunch when it comes to employing full-time IT staff, there are ways to maximize your resources, including free training, according to Boettger. For example, the SANS Institute offers free resources for security awareness education.
- Outdated disaster recovery plans. Like other challenges mentioned above, ensure your disaster recovery plan is up to date to avoid missteps when a breach does occur.