24% of healthcare employees had trouble identifying a handful of common signs of malware
In a HIPAA Compliance news article from the Office for Civil Rights it was announced that it would begin focusing on data security breaches affecting less than 500 people. With that, many practices may find themselves on radar regarding HIPAA security. There have been many investigations of bigger breaches in the past, but now, smaller breaches will be investigated as well.
As one may imagine, hacking is one of the largest issues medical practices face when dealing with sensitive information. Not only are hackers getting smarter each day, but technology is also advancing each day. While that may make it easier to protect data, it also makes it easier for hackers. Technology can definitely be a weak point if not using precaution. Malware, phishing and even losing mobile devices carrying protected health information can create huge vulnerabilities. However, hackers aren’t the only threat practices face. Other issues include: failure to manage identified risk, lack of transmission safety and improper disposal of protected health information (PHI). According to recent OCR enforcement data, medical practices are the covered entity required to take HIPAA corrective action most often.
There is, however, an upside. There are steps practices can take to minimize HIPAA security risks and prevent these types of incidents from occurring. Get started with these 7 tips.
- Be Aware of Weak Spots. By using the HIPAA audit protocol, practices can do a risk analysis. Also, the security risk assessment tool made together by the Office of the National Coordinator and the HHS Office of the General Counsel. The risk assessment tool was created to assist healthcare providers in smaller practices to perform risk assessments of their company.
- Educate. Ensure all staff members are educated and fully understand the possible repercussions of falling prey to hacking. Clicking unknown links and opening unsafe email attachments are all risks employees face, without the proper education to guide them. Some providers choose to ban certain activities and privileges such as using personal email, chatting or surfing the internet on company computers and devices to lower the risk of phishing and hacking.
- Be on the Lookout for Weaknesses. As previously mentioned, technology is constantly being updated and improved. This means that hackers constantly have new methods of secretly accessing sensitive data, and a method used to prevent security breaches last year may not work this year. It’s important to be aware of potential vulnerabilities at all times. Look for other things that can be fixed immediately, such as changing the settings on all computers to ensure they lock after a certain amount of idle time, or moving them away from areas that are accessible to non-staff members.
- Technical Protection. As a first line of defense against a HIPAA security breach, all medical practices should always use quality antivirus software, email filters, and web security gateways.
- Backup Data Plan. In the event that there is a data breach, ensure that data is saved and can be easily recovered. This can be done with a data backup system. It’s good to do a test-run of this to ensure it actually works before the backup plan needs to be used in a real-life scenario.
- Incident Response Plan. If a data breach does happen, there should be a plan in place so that no time is wasted. Make a contact list in case of an emergency, and lay out your plan of action before-hand. Know exactly who you need to call, and what action they need to take to help the practice recovery quickly.
- Accountability. Having agreements in place is very important when it comes to PHI. Ensure there is an agreement in place for all business associates, including vendors, to make sure they are held accountable. Think about what should be included in the agreements, such as breach incident obligations.
To minimize HIPAA security risks, it is important not to not wait until an incident occurs. Proactively establishing and testing security measures beforehand is essential to keeping the Office for Civil Rights at bay and guarding protected health information of your patients.
Looking for a specialty EMR?
MicroMD EMR/EHR is flexible and can fit almost any specialty. Let us help you get back to the business of healing.