5 More Considerations for Healthcare Organizations Building a Patient Data Privacy and Security Plan (Part 2 of 2)
Read part 1 of this two-part blog post.
1. Maintain Perimeter Security and Firewalls/ Patches
As we have witnessed in the global ransomware attacks of 2017, maintaining proper perimeter security, including firewalls and patches, is essential to securing your network. The first ransomware attack of 2017, WannaCry, hit more than 150 countries and 200,000 computers. The attack preyed on systems that did not implement a Microsoft Windows patch known as Eternal Blue. The Petya ransomware outbreak appeared just months later, yet again exploiting a patch. This is one reason why building a strong patient data privacy and security plan is so critical for healthcare organizations.
Preventing ransomware attacks involves a multi-layer approach. Not only should your security team be aware of the latest patches and updates, along with vulnerabilities in your network, they should implement the latest perimeter security and firewall technologies to thwart increasingly sophisticated cyber-attacks. Maintaining proactive security means that systems are constantly evaluated and updated to ensure the security of your network.
2. Encrypt Portable Devices
While mobile devices have created meaningful collaboration and interoperability of health information, they can pose a serious threat to the security of a healthcare organization. With 96 percent of physicians using smartphones as their primary clinical communications device, proper security protocols must be in place to ensure compliance and security. Consolidating data onto a secure cloud or data center behind a firewall will ensure that you have oversight over patient data thanks to your patient data privacy and security plan.
3. Prepare an Incident Response Plan
You should always be ready for the worst-case scenario. Crafting a quality incident response plan (IRP) will help contain security incidents that would otherwise become breaches involving regulatory authorities. Under the HIPAA Security Rule, IRPs are required for covered entities. The HHS provides a free Incident Response Plan template to help organizations craft an agile plan to handle incidents. Once created, an IRP requires frequent evaluation and changes as an organization naturally changes and evolves.
4. Train Employees and Maintain Acceptable Use Policies
Organizations can implement a myriad of technologies and procedures to secure ePHI and avoid OCR sanctions, but without a patient data privacy and security plan as well as proper training and acceptable use policies for employees, they can easily be undermined. A clearly defined culture of privacy and security should be driven through any organization handling PHI. Training users on acceptable use policies and procedures through LMS will contribute to compliance.
5. Partner with a Managed Security Services Team
Hiring and maintaining qualified cybersecurity staff to run your technology can be challenging. This is why organizations are using managed services to stay on top of technology needs and to keep data secure. By hosting a compliance and security solution in the cloud under managed services, organizations can be positioned to utilize certified cybersecurity staff, maintain flexibility, reduce costs, and deal with infrastructure challenges.
Securing patient data and reducing OCR settlements takes a multi-faceted approach both in the short and long run. Organizations need to take immediate action to strengthen their security and privacy programs to ensure patient protection and mitigate risk from OCR settlements.