10-03-14 | Blog Post
As HIPAA regulations increase and cybersecurity threats advance, the healthcare industry’s effort to protect patient data gets more complex. Online Tech recently contributed to a story posted on BlogHIPAA.com that covers five tools to help protect patient information and ease the compliance burden:
BlogHIPAA spoke with representatives from industry-leading organizations in each of these areas, each of them focused on compliance. They each provided insight into why these areas are vital components of a HIPAA compliance strategy.
EMAIL ENCRYPTION
Bob Janacek, the CTO at DataMotion, explained that “unencrypted email messages and files hop from point to point through routes over the Internet until they reach their destination. At any of those points, data is open for scrutiny and can be copied or breached by unauthorized users. When encryption is used, data traverses the points between the sender and the recipient in a secure manner, shielded from prying eyes.”
He offered these best practices to help reduce the chance of protected data from being exposed through email or file transfers. Each is described in full on the BlogHIPAA post:
MOBILE PHONE BYOD PROTECTION
People lose their phones and tablets. If employees’ personal devices contain PHI, a HIPAA breach is virtually guaranteed. From the massive Advocate data breach to the Affinity Health Plan photocopier breach, healthcare executives finally had to face the music and tighten information security controls in a post HIPAA/HITECH Omnibus world.
The folks at Qliqsoft, which provides a HIPAA-compliant messaging platform, say to “provide secure communications in an increasingly unsecure world, one must constantly engage in an open dialogue with industry experts and customers to determine how best to address efficient communication between providers, patients and caregivers at a time where BYOD and text messaging is the norm. One way to ensure security is to cut out unnecessary cloud-based messaging hosts. Utilizing “cloud pass-thru” technology is one powerful way to minimizing the number of potential security risks.”
HIPAA-COMPLIANT STORAGE
More than 25 percent of healthcare organizations use some type of external storage for PHI. Dropbox is the most popular cloud storage and synchronization solution, but it does not offer safeguards for HIPAA compliance. Sookasa uses transparent on-device encryption to enable HIPAA and FERPA compliance for Dropbox.
Sookasa CEO and co-founder Asaf Cidon says whichever storage solution you use, there are some tips to follow, starting with a signed business associate agreement. But, wait, there’s more!
“It’s a common misconception that signing a BAA is sufficient to maintain HIPAA compliance. A signed BAA is an important requirement but is not sufficient to guarantee that your data will be safe in the cloud-connected mobile world,” Cidon says. He notes some cloud storage services offer a BAA, but do not offer data protection for PHI when accessed on a device.
Cidon’s key requirements for preventing HIPAA breaches for cloud storage are:
HIPAA-COMPLIANT HOSTING
Hey, this is where we come in!
Online Tech’s Director of Healthcare IT April Sage provided insight into what to look for in a HIPAA-compliant hosting partner. Keeping patient data secure within a data center can reduce risks of having data on portable devices. If an organization focuses on delivering healthcare applications but doesn’t want the burden of maintaining server infrastructure, Sage suggests looking for a hosting provider that embraces and delivers on their responsibility to protect patient data.
Sage said along with making sure a hosting provider can meet an organization’s technical specifications, key things to look for beyond the technology include:
COMPLIANCE TRACKING SOLUTION
End-to-end compliance software allows organizations to achieve compliance, protecting PHI and reducing liability by illustrating to auditors a good faith effort in regard to being compliant.
Bob Grant, a former HIPAA auditor who is now the Chief Compliance Officer at the Compliancy Group said the need for an end-to-end compliance solution is ever increasing.
“Protection of your PHI and reducing your liability is key for your business,” he said. “Using HIPAA compliance tracking software can help you illustrate to auditors that you have done everything necessary to comply with the regulations.”
Grant said the main focuses of HIPAA compliance software should include:
“Compliance is no longer a three ringed binder up behind someone’s desk; it needs to be a living, breathing solution that everyone in the organization can access,” Grant said.
RELATED CONTENT
