As HIPAA regulations increase and cybersecurity threats advance, the healthcare industry’s effort to protect patient data gets more complex. Online Tech recently contributed to a story posted on BlogHIPAA.com that covers five tools to help protect patient information and ease the compliance burden:
- Email encryption
- Mobile phone BYOD protection
- HIPAA-compliant storage
- HIPAA-compliant hosting
- Compliance tracking solution
BlogHIPAA spoke with representatives from industry-leading organizations in each of these areas, each of them focused on compliance. They each provided insight into why these areas are vital components of a HIPAA compliance strategy.
Bob Janacek, the CTO at DataMotion, explained that “unencrypted email messages and files hop from point to point through routes over the Internet until they reach their destination. At any of those points, data is open for scrutiny and can be copied or breached by unauthorized users. When encryption is used, data traverses the points between the sender and the recipient in a secure manner, shielded from prying eyes.”
He offered these best practices to help reduce the chance of protected data from being exposed through email or file transfers. Each is described in full on the BlogHIPAA post:
- Keep your email encryption system simple.
- Use policy-based gateway filtering.
- Look for exceptional handling of file attachments.
- Make use of extensive logging and reporting
- Require seamless mobile integration
MOBILE PHONE BYOD PROTECTION
People lose their phones and tablets. If employees’ personal devices contain PHI, a HIPAA breach is virtually guaranteed. From the massive Advocate data breach to the Affinity Health Plan photocopier breach, healthcare executives finally had to face the music and tighten information security controls in a post HIPAA/HITECH Omnibus world.
The folks at Qliqsoft, which provides a HIPAA-compliant messaging platform, say to “provide secure communications in an increasingly unsecure world, one must constantly engage in an open dialogue with industry experts and customers to determine how best to address efficient communication between providers, patients and caregivers at a time where BYOD and text messaging is the norm. One way to ensure security is to cut out unnecessary cloud-based messaging hosts. Utilizing “cloud pass-thru” technology is one powerful way to minimizing the number of potential security risks.”
More than 25 percent of healthcare organizations use some type of external storage for PHI. Dropbox is the most popular cloud storage and synchronization solution, but it does not offer safeguards for HIPAA compliance. Sookasa uses transparent on-device encryption to enable HIPAA and FERPA compliance for Dropbox.
Sookasa CEO and co-founder Asaf Cidon says whichever storage solution you use, there are some tips to follow, starting with a signed business associate agreement. But, wait, there’s more!
“It’s a common misconception that signing a BAA is sufficient to maintain HIPAA compliance. A signed BAA is an important requirement but is not sufficient to guarantee that your data will be safe in the cloud-connected mobile world,” Cidon says. He notes some cloud storage services offer a BAA, but do not offer data protection for PHI when accessed on a device.
Cidon’s key requirements for preventing HIPAA breaches for cloud storage are:
- Encryption: Encryption of files both on the cloud and on mobile devices and desktops.
- Access control: Central control of who on your team can access files, even if a device is taken offline.
- Audit trails: Full audit trails for every file access on the cloud and on mobile.
Hey, this is where we come in!
Online Tech’s Director of Healthcare IT April Sage provided insight into what to look for in a HIPAA-compliant hosting partner. Keeping patient data secure within a data center can reduce risks of having data on portable devices. If an organization focuses on delivering healthcare applications but doesn’t want the burden of maintaining server infrastructure, Sage suggests looking for a hosting provider that embraces and delivers on their responsibility to protect patient data.
Sage said along with making sure a hosting provider can meet an organization’s technical specifications, key things to look for beyond the technology include:
- Will they sign a Business Associate Agreement (BAA)?
- Have they been independently audited against the U.S. Department of Health & Human Services’ Office for Civil Rights HIPAA audit protocol?
- Will they share documentation of the audit with the auditor’s opinion of compliance?
- Do their people, processes, and technology align to demonstrate a culture of compliance? Don’t underestimate the importance of an on-site visit to see for yourself where your patient data will reside.
COMPLIANCE TRACKING SOLUTION
End-to-end compliance software allows organizations to achieve compliance, protecting PHI and reducing liability by illustrating to auditors a good faith effort in regard to being compliant.
Bob Grant, a former HIPAA auditor who is now the Chief Compliance Officer at the Compliancy Group said the need for an end-to-end compliance solution is ever increasing.
“Protection of your PHI and reducing your liability is key for your business,” he said. “Using HIPAA compliance tracking software can help you illustrate to auditors that you have done everything necessary to comply with the regulations.”
Grant said the main focuses of HIPAA compliance software should include:
- Business Associate Management
- Gap Analysis
- Remediation Management
- Incident Management
- Policy & Procedure creation (Templates)
- Policy & Procedure Management (Version Control)
- Attestation Management (Staff attesting to policies, procedures and training)
“Compliance is no longer a three ringed binder up behind someone’s desk; it needs to be a living, breathing solution that everyone in the organization can access,” Grant said.