Preventing a Healthcare Breach
As healthcare breaches become more commonplace, it is important to ensure that you are adequately securing protected health information. There are many ways in which you can do this, however, there are certain precautions that have become an industry standard.
Multi-factor Authentication (MFA). Although HIPAA does not require that healthcare organizations implement MFA, it is considered best practices to do so. This is because it provides more security than a simple username and password. MFA requires users to input their username and password in combination with another unique login credential such as answers to security questions or a one-time PIN, to access sensitive data. MFA provides more security than traditional login credentials as unauthorized individuals who have access to an employee’s login information will be unable to access data without access to the other login credentials.
Access Controls. The HIPAA minimum necessary standard requires that employees are only given access to the PHI that they need to perform their job functions. Enabled through the use of unique login credentials, access controls designate different levels of access to data based on an employee’s job role.
Audit Controls. Since HIPAA requires use and disclosure of PHI to be in accordance with the minimum necessary standard, you must track data access with audit logs. By keeping an audit log, regular data access patterns are established for each user, facilitating the quick detection of breaches.
Encryption. Although not explicitly mandated by HIPAA, the Department of Health and Human Services expect healthcare organizations to secure data through encryption. Encryption is the most secure form of data protection as it masks sensitive data, preventing users from accessing it if they don’t possess a decryption key.
What Does the NTreatment EHR Vendor Breach Teach Us?
Had NTreatment implemented these security measures, it is likely that the EHR vendor breach would not have occurred. Additionally, had their files been encrypted, even if their cloud server was left without password protection, the files would not have been able to be read by unauthorized individuals.