6 Considerations for Healthcare Organizations Building a Patient Data Privacy and Security Plan (Part 1 of 2)
Read part 2 of this two-part blog post.
Patients and providers are concerned about the privacy of their protected health information more than ever before, thanks to high-profile breaches and new regulations like the Facebook data privacy scandal and GDPR. Therefore, healthcare organizations across the globe are scrambling to develop and implement a strong patient data privacy and security plan.
Patient data is highly attractive to attackers; threats range from ransomware and data theft to phishing and insider threats. In a recent RSA Data Privacy report, which surveyed 7,500 customers in Europe and the U.S., 59 percent of respondents were concerned about their medical data being compromised.
As a care provider, you want to instill trust in your patients, and there’s no better way to do that than with a strong data privacy and security program. Here are six considerations for organizations when creating a comprehensive patient data privacy and security plan.
#1 Run a Risk Analysis of All Systems Holding ePHI
Develop a strong security and compliance posture for your organization by conducting a risk analysis of all systems holding ePHI. A risk analysis looks at the systems where your ePHI is stored and prioritizes them. With the large number of mergers and acquisitions in the healthcare industry, coupled with the robust number of cloud applications touching the average EMR application, ePHI is difficult to track in today’s digital age. Yet under the HIPAA Security Rule, all applications containing PHI are subject to the regulation. Conducting a risk analysis to identify all systems and applications that contain ePHI will allow you to better monitor patient information.
#2 Harness the Power of Cloud Security with Your Patient Data Privacy and Security Plan
Cloud technology can offer a host of data security and compliance benefits when properly vetted. It can also reduce costs due to its flexibility and customizable controls. Faster upgrades and increased data storage can help healthcare organizations mitigate risk and balance multiple regulations. Furthermore, cloud technology offers increased visibility of where ePHI is located – meaning third-party applications and connected system — which allows organizations to take the guesswork out of their patient data privacy and security plan.
#3 Strengthen User Identities and Monitor
Insider threats continue to grow, but now those threats include outside adversaries who have compromised users to gain access to PHI stored in mission-critical applications and systems. Healthcare organizations can use behavioral analytics and auditing to predict and prevent breaches and ensure the security of mission-critical applications and systems. To determine what information users have access to, perform an access rights review, including a user inventory of employees, affiliates, and vendors. Careless users can then be identified to find out who needs training and who needs sanctioning.
#4 Manage Your Third Parties
There’s a common misconception that third parties are responsible for the security of your data, but it is actually a shared responsibility between you and your vendor. Organizations should ensure that third-party partners have proper security and compliance controls in place, such as perimeter security, IP table restrictions, security certifications (e.g., SOC 2 Type 2, ISO 27001), data backups, encryption, and more to ensure that you’re not at risk of a compliance violation or a data breach.
#5 Conduct Risk Assessments
HIPAA’s Breach Notification Rule requires covered entities to conduct a risk assessment to determine the probability of compromised health information. The main goal is to determine whether a breach of ePHI will need to be lawfully reported. The ONC and OCR recently updated their Security Risk Assessment Tool to help guide organizations through the process.
#6 Sign Business Associate Agreements with Vendors
It is imperative that organizations and vendors sign a BAA when appropriate in most cases where PHI will be handled. This ensures that both parties are accountable for creating, receiving, and transmitting PHI in a secure manner and as intended. If either party violates the BAA, each may face penalties from the U.S. Department of Health and Human Services (HHS). Find vendors that take BAAs very seriously; any organization can sign one, but do they have the proper protocols in place to responsibly handle ePHI? Ask questions and investigate to assess how secure their processes really are. However, you should also conduct proper due diligence to ensure that you are not engaging in a BAA agreement when it is not necessary, as this could put your organization at unnecessary risk.
For more information on building a foundation for your patient data privacy and security plan, check out the whitepaper Imprivata FairWarning Patient Privacy Intelligence: The Intersection of Compliance, Legal and Information Security.