We’re talking millions. Take a look at the largest HIPAA-violation related fines of 2017. Companies like dialysis-giant Fresenius, Memorial Healthcare Systems, and 21st Century Oncology (21CO), which operates 143 centers nationwide, have been fined millions thanks to unauthorized access (21CO has filed for Chapter 11 bankruptcy). In 21CO’s case, the access was through a vulnerable back door to their IT systems, but for Fresenius and Memorial Healthcare Systems, unauthorized ePHI access was employee-related.
When you look at the heart-stopping price tag of non-compliance, the question becomes: Could the unauthorized access been avoided? Most would argue – and I’d agree – that no system or organization is 100% secure. However, there are ways to mitigate risk, both human and technology. Let’s start with the human factor: your employees. Here are a few tips to pass along:
5 Ways Employees can Protect ePHI
- Be sure no one can see your screen. Whether at your desk or using a mobile device, if you’re accessing PHI, protect it from view. Angle your desk – or your body – so that no one can inadvertently see the sensitive data.
- Keep quiet about patient records. Just because a recent emergency visit was the stuff of urban legend doesn’t give you the right to share it.
- Protect your password and make it strong. A phrase that combines letters, numbers and special characters is a commonly used best practice.
- Stay off public wifi when accessing ePHI. It’s tempting to catch up on work at the local coffee shop or the airport, but public wifi is a notorious favorite of hackers.
- Immediately report any suspicious activity to your IT department. Strange email? Don’t click the link or open the attachment – call IT.
Things get a little more straightforward when you step into the technology side. That’s not to say it’s easier. But common security controls are just that, common. Data encryption for static and in-transit data, keeping up with software security patching, frequent system backups, a secure messaging platform and access control audits – all place significant barriers in front of sensitive healthcare data.
Where does responsibility for healthcare data breaches lie? Workforce, cybercriminals, technology vulnerabilities, lack of training – any and all can place ePHI at risk. While there is no magic pill to secure healthcare information, there are many ways to manage the risk. To learn how Apgar and Associates can help you manage risk and ramp up privacy and security measures, contact us today.