HIPAA requires healthcare groups and their business associates to configure safeguards to ensure the confidentiality, integrity, and availability of PHI, although there is little detail released on how to secure patient data in HIPAA regulations.
This is on purpose, as the pace that technology is advancing is far higher than the speed at which HIPAA can be updated. If details were included, they would soon be outdated.
Technology is always changing and new flaws are being discovered in systems and software previously thought to be safeguarded. Securing patient information is therefore not about putting in place security solutions and forgetting about them. To truly safeguard patient information you must regularly review your security controls, update policies and procedures, maintain software and security solutions, and upgrade when new, better solutions are created.
There is no one security solution that can be used to safeguard patient information. To maintain patient information in a secure manner you need to implement layered defenses – a range of protective mechanisms that slow down any possible attack and make data access much more difficult. This is often called defense in depth.
Usual security measures that can be implemented as part of a layered security strategy incorporate:
- A firewall to stop unauthorized individuals from accessing your network and data
- A spam filter to prevent malicious emails and malware
- An antivirus solution to restrict and discover malware on your system
- A web filter to stop employees from accessing malicious websites
- Access and privacy controls to stop improper access from within the group
- Data encryption on all portable devices in the company
- Encryption to protect data on the move – encrypted email for instance
- A secure (HIPAA-compliant) messaging platform that encrypts all methods of communication
- An intrusion detection system that monitors for file amendments and irregular network activity
- Auditing solutions that search for improper accessing of patient details
- Disaster recovery controls to ensure ongoing access to data in the event of an emergency
- Thorough backups to ensure patient information is never lost
- Security solutions permitting the remote deletion of data stored on mobile devices in the event of loss or theft
- Security awareness and anti-phishing training for employees
- Physical controls to stop data and equipment theft
- Flaw scanning and penetration testing to identify weaknesses before they are discovered by hackers
- Good patch management policies to ensure software is kept up to date and free from flaw
HIPAA-covered bodies can implement all, or a selection of these security controls, or can outsource these services to managed service provider (MSP).
Patients Might Wish to Know How Their PHI is Secured
If a patient asked you how do you secure patient data, would you be able to give them an answer. For many medic, the answer would be no. Physicians are concerned with providing care to patients, not with the nitty gritty of putting in place security solutions and safeguards to ensure the confidentiality, integrity and availability of PHI. That job is often left to their IT departments and the individual in charge of HIPAA compliance. Many healthcare workers would be in a similar boat.
However, given the volume of healthcare data breaches that are now happening, and the risk of damage and loss as a result of the theft of PHI, many patients are concerned about data security and may ask the question.
Patients want to be reassured that any data provided to, created by, and managed by their healthcare providers is secure and remains confidential. It can be useful to know what measures have been used to secure their information, so you can give information in general terms.
In most instances a simple explanation is all that is needed. Patients just want reassurance that their health data is secure and will remain confidential.
In general terms, you could advise them that you secure patient information by:
- Encrypting PHI at rest and in transit (if that is so)
- Only holding PHI on internal systems protected by firewalls
- Storing charts in safe locations they can only be accessed by authorized people
- Using access controls to prevent unauthorized individuals from obtaining PHI
- Only sending PHI to individuals or groups to facilitate the provision, coordination, or management of health care and related services such as payment and billing
- Only sharing PHI with a restricted set of third parties after a contract has been entered into to make sure they abide by strict rules covering uses and disclosures of PHI and data security
- Re-train all staff (on a yearly basis) to maintain high privacy and data security standards
- You use the most recent software versions and ensure all software and operating system are kept up to date and use anti-virus solutions to prevent malware
If patients require more data or want details, you could outline that for security reasons you cannot provide detailed information about security controls you have set up. Just as you would not tell anyone where your safe is placed and how many turns of the dial are required to open it.