John Shin is the Managing Director at RSI Security.
For all the different kinds of doctors and medical staff out there, any member of a healthcare business has a relationship with HIPAA.
HIPAA stands for the Health Insurance Portability and Accountability Act was established in 1996 to designate proper data privacy and security provisions for storing and sharing medical information. This is mostly related to keeping protected health information (PHI) confidential — a doctor may not be allowed to share certain data with non-family members in person, for example, but must follow extensive HIPAA rules for moving that data online.
HIPAA compliance is a major focus for any business operating earnestly in healthcare. Getting HIPAA compliance means this business operates properly to keep sensitive personal and medical information exactly as private as it needs to be.
HIPAA compliance is probably the foundational stamp of approval for everything a company does in the healthcare industry. Companies that fail to exhibit proper current HIPAA compliance (or that otherwise fail to adhere to its standard) can be fined heavily.
That’s why it’s important to have good and holistic cybersecurity practices be the norm around the office — it not only preserves HIPAA when employees are a little more cybersecurity-aware, but makes it far less likely that you’ll ever pay fines for noncompliance. Businesses only pay fines when they breach HIPAA guidelines, so those specifically seeking to escape HIPAA fines only need to pursue HIPAA compliance.
Here are some ideas for companies to implement across their hierarchies in order to tighten the gap on HIPAA compliance and stop paying fines.
It’s bad practice to volunteer private, identifying data for nothing, but there’s absolutely nothing redeeming about giving someone the information necessary to log in to a network and control an account they might not be supposed to access.
Login information can also be used to track user behavior by a larger system. If you give someone else the ability to use a computer “as you,” then it’s your job on the line.
Cybercriminals are known to bridge the gap between the online world and the physical world as it serves their purposes. Someone might break into a business’s Dumpster in order to scan old mail or other documents for valuable data. In similar thinking, a third party with access to your workspace might be inclined to steal iPhones and papers in the quest to penetrate your network.
The Office for Civil Rights investigates reports of lost and stolen devices to determine if HIPAA Rules have been violated, and its breach portal is loaded with reports of data breaches involving lost and stolen devices and mishandled personal information. A lost or stolen device containing such data is a big deal under HIPAA — if those devices are discovered unattended and unencrypted, the owners may have to pay financial penalties. And we’re trying not to do that!
Just err on the side of not sharing data unless you’re 100 percent sure it’s fine. There’s too much at risk. Text is a quick and easy way to communicate, whether it’s via SMS, WhatsApp, or Facebook Messenger. But none of the common messaging services have the necessary controls to prevent accidental disclosures of personal health information to unauthorized individuals.
Text just isn’t secure enough for this kind of communication, especially when there are specialized tools designed exactly for sharing this kind of information with authorized people. WhatsApp is encrypted but is missing certain authentication controls, and for any text messaging service to be used, you need a signed a HIPAA-compliant agreement with the service provider.
There’s a big difference between what you’re able to do and what you should do. Just because you can look up any patient you like doesn’t mean you should. HIPAA takes patient privacy very seriously, and that kind of behavior, if detected, definitely does not take patient privacy seriously.
Even though there have been numerous cases of patient record violations, healthcare employees are only permitted to view those records if they’re required to do so in order to administer care.
In other words, you’re only allowed to look at patient information if you plan to use it to improve their health. HIPAA-compliant outfits maintain access logs to ensure no one’s abusing their capabilities.
There’s absolutely nothing wrong with having a copy of your own health record. HIPAA allows any patient to get this document on request. But healthcare employees have no business accessing their own medical records with their own logins, it’s a breach of HIPAA standards.
Healthcare providers tend to require staff to have the same patient experience as everyone else in order to gain access to their data. It’s perhaps an unusual rule, but it ensures that medical records are used for a specific medical purpose. Satisfying your curiosity isn’t medical.
If you adopt these behaviors over time and work to improve the state of your business’s cybersecurity and HIPAA compliance, you’ll find there’s no trick at all to getting rid of those expensive HIPAA fines.
The closer you get to compliance, the less you pay in fines.