*Medical emergencies* These words hold a very powerful tone for all of us. A medical emergency is something we may have personally experienced or something we spend our time trying to avoid at all costs. We search for the best insurance, we take all our shots, and we hope and pray that we stay as far away from medical emergencies as possible.
However, sometimes life is unpredictable. A medical emergency finds you in the hospital or doctor’s office for yourself, your spouse, or your child. Your mind is swimming with all the worries and stresses of this medical issue. You’re not thinking of your cyber-security during this moment. You’re depending on the medical staff and office workers to protect and secure your precious medical information as it moves back and forth between the people who need to see and work with your information.
So what does it look like to have a HIPAA compliant cyber security plan? How does a medical office prepare for the worst?
The risk of going unprotected.
In 2020, over 28 million medical records were breached. Pair that number with 2020 having the largest scale pandemic the world has seen in close to one hundred years, and it’s fair to say that medical companies may have been a little distracted during this time, and were not putting full focus on their cyber security. Though this is not the first time medical facilities have been compromised, each year breaches have increased, and personal medical files of millions of people are jeopardized.
The largest healthcare data breach of 2020 was a ransomware attack on the cloud service provider Blackbaud Inc. The actual number of records exposed and obtained by the hackers has not been made public, but more than 100 of Blackbaud’s healthcare clients were affected and more than 10 million records are known to have been compromised. The breach does not appear on the OCR breach portal, as each entity affected has reported the breach separately.
Prior to deploying ransomware, the hackers stole the fundraising and donor databases of many of its clients which included information such as names, contact information, dates of birth, and some clinical information. Victims included Trinity Health (3.3 million records), Inova Health System (1 million records), and Northern Light Health Foundation (657,392 records). Journal, H. (2021, March 3). 2020 Healthcare Data Breach Report: 25% Increase in Breaches in 2020. HIPAA Journal. https://www.hipaajournal.com/2020-healthcare-data-breach-report-us/
To have an airtight cyber security plan that is also HIPAA compliant, several steps must be taken to make sure the medical data in your facility is properly protected. Over the next couple of blogs, we will be focusing on how to secure the medical data in your facility.
When building a cyber security plan, you will likely start with bringing a company in to help these steps go smoother. Once you have established the company you are partnering with, you will begin to focus on identifying anything and everything that information moves through throughout your facility. Here are just a few things you will be looking for:
- Physical devices will need to be inventoried and organized. This is taking a detailed inventory of every device, service or software within the facility and making sure it is up to date, or not already corrupted by ransomware or viruses.
- All external information within the systems must be cataloged. This is documents, medical records, financial records, insurance records, etc. Anything that has personal identifying information of anyone that comes through the facility.
- Resources and hardware must be prioritized based on importance and business value. Updating hardware on computers and other devices, or supplying newer, safer tools for the security and safety of shared information.
- Software platforms within the facility will be inventoried and security measures reinforced.
Risk Management. Your facility’s determination of risk evaluation means not only evaluating all access points and confirming they are secure, but also actively checking to be sure that these back doors are being tested to ensure security. This is where the help of an outside company would come into play to help keep everything secure.
- Vulnerability of information shared or received through forums and other sources such as email, fax, etc., must be checked. There is always the possibility your facility may be receiving information from another medical source that is not secure, which means files may come with viruses attached to them and could corrupt your systems. You want to be sure that all documents coming in or going out are secured and uncorrupted.
- All threats that have taken place whether internally or externally, must be identified and kept on record to ensure future security measures stay in place.
These are just a few of the internal assessments you will have to make within your facility to ensure that it is staying not just HIPAA compliant, but ensuring your facility’s integrity, too.
Now that we’ve identified risks within the facility, our next step is to take strong protection measures.
While protecting your servers, software, computers, and other important devices that transmit vital patient data, you will have several areas to focus your attention on to secure your systems. Here are a few examples:
- Priority Information: Certain information will go through specific hands and transitions. It’s very important that it will not pass-through others who aren’t qualified or designated to handle them. Creating a protocol for priority and sensitive information ensures that only the correct people see and handle those documents. Training your staff to know the protocols that sensitive information goes through is imperative to the safety and security of those documents.
- Upper Management Knowledge: Ensuring that the highest level of executives within the facility know the protocols and security measures that need to be implemented into the facility is vital to success. Upper management needs to educate themselves on the processes of security within the facility and deliver clear communication of security protocols through each level of the facility.
- Training Staff: Perhaps the most important step of all is adequately training all staff on security measures and standards. Safety at its base level must be prioritized to ensure quality assurance and understanding of security expectations. Taking the time to fully educate all current and incoming staff members of important nonnegotiable security standards is the biggest step for success.
- Security: Physical and virtual accesses must be closely managed and frequently assessed for breaches.
- Credentials: Credentials and special accesses must be properly designated per security level. That includes ensuring that all credentials are reserved for the correct individuals and access is not commonly shared among a group of the staff. Each individual should have separate and secure credentials and access to specific information based on that individual’s authorized level.
- Remote Access: Remote access should be monitored and kept at a minimum.
Employee Security Measures.
- Build a culture among your staff to uphold security of information as a top priority. Ensuring that all employees are using two-factor authentication (2fa), a password keeper, and being wary of phishing emails, creates tighter security around patients’ information.
- Enhanced Security: This can look like data backups and recovery plans, should anything go wrong.
- 24/7 Monitoring: Have an eye in the sky at all times – monitoring your systems constantly will help detect threats sooner and prevent big catastrophes.
- Financial Security: Ransomware attacks are a common threat that many medical facilities face. Millions of dollars of financial loss can happen due to an attack. Budgeting an MSP into your security will likely save you millions of dollars should you ever face an attempted ransomware attack. In the long run, medical facilities are less likely to face a large payout when using an MSP.
When identifying risk factors and vulnerabilities in your system, it is imperative that management determines a priority list of what and how to protect, and what implementing those protections looks like across the facility or company. Each employee must understand the risk, and all devices and passwords must be protected by top security measures.
The company or facility should be continuously aware of their security systems and protocols and keep them consistently up to date. They also should have active conversations with all employees about cyber security throughout the facility, and through any personal devices that employees may use at the workplace.
This can be a very overwhelming journey for those who are looking to secure their facility in the near future. What we have touched on so far is just a small portion of security assurances you will need to focus on to meet HIPAA guidelines. Having a third party come in to help you navigate and conquer all the ins and outs of being HIPAA compliant is often the fastest and smoothest route to achieving your goals efficiently.
This is where you would call on the assistance of a Managed Service Provider, or MSP. Essentially, you are outsourcing your services to a company that specializes in creating a cyber security plan to help you meet HIPAA compliance.
Once you’ve hired an MSP company, you will sit down together and begin to build the infrastructure to create a plan that is specific to your facility.
What services do MSPs provide?
We have only just scratched the surface of what MSPs can offer. But finding an MSP that can fit your needs is a fantastic start! Building a cyber security plan that protects the data of your medical facility is the best way to stay ahead of the hackers who are always looking for a new way to trick systems into giving away vital patient information.
Bringing your facility into HIPAA compliance can be extremely stressful and overwhelming. DataCom Technologies can help you create a cyber security plan so you can sleep better at night knowing you are covered. Contact us today by calling 330-680-6002, or by emailing us at firstname.lastname@example.org.