The HIPAA Breach Notification Rule requires HIPAA covered entities and their business associates to provide notification following a breach of unsecured protected health information (PHI). 6 tips to protect your practice from a data breach include:

  1. Purchasing and using the proper cybersecurity tools
  2. Hiring a cybersecurity specialist
  3. Providing cybersecurity awareness training to employees 
  4. Separating your practice’s accounts from your personal accounts
  5. Implementing appropriate cybersecurity policies for your practice
  6. Backing up your practice’s data

What is the Definition of a “Breach”?

Generally, a breach is an impermissible (unauthorized) use or disclosure under the HIPAA Privacy Rule that compromises the security or privacy of protected health information.  An impermissible use or disclosure of protected health information is presumed to be a breach unless the covered entity or business associate, as applicable, demonstrates that there is a low probability that the protected health information has been compromised. This demonstration of a low probability of compromise must be based on a risk assessment of at least the following factors:

  1. The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification;
  2. The unauthorized person who used the protected health information or to whom the disclosure was made;
  3. Whether the protected health information was actually acquired or viewed; and
  4. The extent to which the risk to the protected health information has been mitigated.

What are 6 Tips to Protect Your Practice from a Data Breach?

The above-mentioned 6 tips to protect your practice from a data breach are discussed in greater detail below:

Tip 1: Purchasing and using the proper cybersecurity tools

Practices should purchase antimalware and antivirus software. No one antivirus solution is 100%, guaranteed effective at malware detection and removal, but an antivirus solution is nonetheless effective for the most part

Current antivirus products contain features that detect unseen threats – new, unknown malware. These products, by scanning for both known and unknown malware, now provide an extra layer of protection. Many antivirus software companies have also updated their antivirus products to include new features that go beyond “basic” protection. These new features include, among other things, encryption and patching automation.

Tip 2: Hiring a cybersecurity specialist

Providers should consider hiring trained professionals with a bachelor’s or master’s degree in cybersecurity. Such individuals can be hired as security specialists, and then tasked with developing HIPAA Security Rule policies and procedures that are needed to protect the confidentiality, integrity, and availability of electronic protected health information (ePHI).

Tip 3: Providing cybersecurity awareness training to employees

A recent Kaspersky Lab survey revealed an eye opening statistic: Almost one third of healthcare employees indicated that they had never received any cybersecurity training in the workplace.  The survey results also revealed:

  • 11% of the healthcare employee respondents indicated they had received cybersecurity training when they began work, but had not received any training since
  • 19% of the healthcare employee respondents indicated that they had been given cybersecurity training, but felt that the training was insufficient

Cybersecurity training for employees is both essential and required; employees must be trained to be aware of those cyberthreats (i.e., malware, phishing schemes, trojans, worms) they will encounter on a daily basis. In addition, employees must be trained as to how to respond to such threats so that a practice is not put at further risk.

Tip 4: Separating your practice’s accounts from your personal accounts

Practices that do not keep business accounts from personal accounts – practices that store both accounts in the same place – are putting the health of their cybersecurity in jeopardy. Accounts should be kept separate for one basic, easy-to-understand reason: when a cyberattacker or hacker obtains data from one account, that person also, in the process, obtains access to the other account. In one fell swoop, the cyberattacker has obtained control over your business and personal information.

Tip 5: Implementing appropriate cybersecurity policies for your practice

Your practice should develop policies governing:

  • Access controls (i.e., assigning unique usernames and PINs for each employee, and establishing procedures to govern ePHI release or disclosure)
  • ePHI authentication (authentication confirms whether ePHI has been altered or destroyed in an unauthorized manner)
  • Encryption and decryption (devices used by authorized users must be able to encrypt messages when those messages are sent beyond an internal firewall server, and must be able to decrypt those messages when the messages are received) 
  • Activity logs and audit controls (audit controls register attempted access to ePHI, and record what is done with the ePHI once someone has accessed it) 
  • Automatic logging off (an automatic logoff mechanism ensures personnel are logged off after a pre-defined period of time) 

Tip 6: Backing up your practice’s data.

Backing up data helps to ensure the data does not become compromised. Data backup also ensures continuity; using an automated system to back up data, ensures data stored in remote servers is up to date.  

Third Party Verification and Validation

Need Help with HIPAA?

Let our complete HIPAA solution handle it.