Healthcare data breaches have been highlighted recently, with several large breaches occurring over the last few months. Hackers target the healthcare industry as they hold a wealth of sensitive information on their patients, and often have less secure data than in other industries. Ransomware attacks continue to rise as healthcare organizations often need to pay the ransom to get their data back. A ransomware attack occurs when a hacker gains access to data, often encrypting the data until a sum of money is paid. A healthcare organization losing access to their data can mean a matter of life or death, so they often pay the hackers. As protected health information (PHI) is ten times more valuable than financial information on the darkweb, it is important to know how to implement PHI protection.
How to Implement PHI Protection
PHI protection is an essential part of preventing or mitigating a healthcare breach. The first step to implementing PHI protection is to know where the sensitive data is stored, how it is transmitted, and how it is used. Identifying these will allows an organization to determine what protections should be in place for each device, enabling more thorough security measures to be implemented.
In addition organizations should:
- Complete a security risk assessment (SRA) to determine where security measures may be lacking. Once gaps are identified, organizations should create remediation plans to ensure PHI protection. To be HIPAA compliant, covered entities and business associates must conduct thorough SRAs annually.
- Encrypt data to reduce the risk of healthcare breaches. Encrypted data cannot be viewed without a decryption key, making it the most effective for PHI protection. Although not explicitly mandated by the Department of Health and Human Services (HHS), it is recommended.
- Train employees on organization policies and procedures as well as HIPAA requirements. The majority of healthcare breaches occur as a result of human error. Employees must be trained on what constitutes PHI, and how to properly handle it. Additionally, employees should be able to recognize phishing emails and what to do if they suspect an email is malicious.
- Vet vendors by sending them an SRA to complete. Covered entities have an obligation to ensure that the vendors that they are working with have the proper measures in place for PHI protection. If the vendor lacks security measures, they must implement adequate safeguards before they are permitted to receive PHI.
- Sign business associate agreements (BAAs) with all vendors before PHI is shared. BAAs limit the liability for both parties in the event of a breach as they state that each party has agreed to be HIPAA compliant, and they are responsible for their own compliance.
PHI protection should be a top priority for anyone working in healthcare. Healthcare organizations that have the proper security measures surrounding PHI will limit the risk of experiencing a breach. If a breach should occur, an organization that has proper PHI protection will be better prepared to respond to the breach.
Need Help with HIPAA?
Let our complete HIPAA solution handle it.