Protecting sensitive health information is essential for HIPAA compliance and data breach prevention, but it can also impact patient safety. According to a recent study by Vanderbilt University, mitigation efforts from healthcare data breaches cost 2,100 lives every year. To help healthcare organizations understand how protecting patient data has the potential to save lives, privacy and security experts Iliana Peters, Shareholder at Polsinelli and former Acting Deputy Director of the OCR, Anne Kimbol, Assistant General Counsel and Chief Privacy Officer at HITRUST, and Ed Holmes, Chief Executive Officer at FairWarning, came together to share their insight in the webinar, “7 Ways to Save 2,100 Lives and $4 Billion with Patient Privacy Monitoring.” This post highlights six healthcare cybersecurity best practices from the webinar you should adopt to protect patient safety.
Conduct a risk analysis
Among the first steps to take in strengthening your cybersecurity program is to perform a risk analysis. According to the HIPAA Security Rule, the definition of a risk analysis is “accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity or business associate.” The goals of an effective risk analysis include:
- Ensuring that your compliance program includes HIPAA’s administrative, physical, and technical safeguards
- Helping your organization understand where data is and who is authorized to access it
- Determining whether PHI or other personally identifiable information (PII) is at risk
There is no single model that all organizations can use for a risk analysis because no two organizations are the same. However, there are a number of different resources that can help simplify and streamline the process, such as the NIST 800-30 publication, which serves as a general guide.
Conducting a risk analysis is essential because it provides an understanding of where your data is stored – which can be both inside and outside of EHR systems – who has access to it, where it is transmitted and destroyed, and reveal potential risks. This information equips professionals to maintain the security of sensitive information and better protect it against potential threats.
“The results of not doing a good comprehensive risk analysis is that you miss data,” said Iliana Peters, Shareholder at Polsinelli and former Acting Deputy Director of the OCR. “And at the end of the day, if you miss data and you don’t ensure that you have the right controls, those administrative, physical, and technical safeguards to the data, then you’ll have a breach in that area unfortunately, because that’s really what those controls are meant to address.”
Follow a cybersecurity framework
Once you’ve performed a risk analysis, aligning with a cybersecurity framework (CSF) like the NIST CSF or the HITRUST CSF – both of which are complimentary resources – serves as a way to further understand and mitigate risks. Functions of these frameworks include identifying risks, protecting data, detecting cybersecurity events, responding to those events, and recovering services that may have been affected by a security incident.
Cybersecurity frameworks like these have been developed to provide security controls for all types of industries. But they’re especially relevant to healthcare organizations because they provide the tools necessary for implementing and maintaining security under the HIPAA Security Rule. And because cybersecurity frameworks have been developed as generally applicable for all types of industries, look for sector-specific guidance to understand how to apply them to healthcare operations.
As essential as physical, technical, and administrative safeguards are to healthcare security, their ability to protect PHI is limited by the users who access the data. Therefore, it’s essential to train employees and business associates from the time that they’re hired – and continue to train on an ongoing basis.
When a new employee starts, it’s important to tell them how the organization’s privacy and security program works. And if the organization has a proactive user activity monitoring program in place, professionals can identify repeat offenders to custom-tailor training to departments that may need additional education.
“Make sure that the training that you’re doing, the ongoing training in particular, is really focused on the challenges that you’re seeing, the questions you’re getting.” – Anne Kimbol, Assistant General Counsel and Chief Privacy Officer at HITRUST
A team that knows to do the right thing – and the consequences for unauthorized access – is less likely to contribute to the risks that lead to a data breach.
Adopt a proactive monitoring program
In the healthcare sector, it takes an average of 350 days to detect and contain a data breach. And attacks ranging from ransomware, identity theft, and medical device hacks can have staggering consequences for both the privacy and safety of patients.
But adopting a patient privacy monitoring program can help organizations detect, investigate, and remediate privacy incidents by analyzing user behavior and sending alerts when activities don’t align with business, clinical, and billing purposes.
Monitoring can also identify training opportunities by identifying departmental trends, but on top of that, it can identify malicious activity and insider threats that can put an organization in jeopardy. Having the tools available to resolve privacy and security violations in a timely manner can save organizations time from remediation efforts so they can continue to focus on the core purpose of every healthcare organization – providing potentially lifesaving patient care.
“Through the tools that allow us to see where someone might have done something that wasn’t in line with what their job role or job responsibility suggested they should have been doing, the more we can get the entire organization thinking about their job being geared around privacy. That’s what we have seen time and time again creates a real difference in the outcomes.” – Ed Holmes, Chief Executive Officer at FairWarning
Root out insider threats
With 46% of healthcare organizations being affected by insider threats, organizations must remain vigilant to mitigate risks from privileged users that could lead to a breach. These threats can originate from malicious insiders such as identity thieves to a careless worker who engages in inappropriate access without nefarious intent. A user could access a coworker’s record to find their address so they can send a birthday card, but that behavior must still be addressed because there was no clinical or business reason involved.
“There’s lots of different ways that you can look for insider threats. Some of them are not people doing something maliciously, but it doesn’t mean we shouldn’t stop them from doing it.” – Ed Holmes, Chief Executive Officer at FairWarning
With a patient privacy monitoring solution in place, privacy and security professionals can be alerted to potential risks like these to provide the type of training and remediation necessary to prevent users from walking out the door with a patient’s sensitive information or creating gaps in your organization’s security network.
Create a culture of privacy and security
Building a strong security structure where employees are trained to know how to properly access records and who to go to with privacy-related questions is essential for building a culture where users do the right thing to protect data – whether or not they know they’re being monitored.
To build a culture of privacy and security, appoint security personnel like a CISO who can communicate openly with all members of staff, including C-suite executives and the board of directors. When employees from the top down know what to do to protect data, a culture where everyone is responsible for patient privacy can be built across the entire organization.
“All these teams have to be able to work together, and importantly, those teams also have to be able to report up the chain to the CEO and even to board members. We’re seeing increasing responsibility being placed on board members to be aware of privacy and security issues within their entity.” – Anne Kimbol, Assistant General Counsel and Chief Privacy Officer at HITRUST
With cybersecurity attacks ranging from malware, ransomware, patient data breaches, and even medical device hacks, organizations can’t afford to not take measures to strengthen and maintain the privacy of patient data. In addition to saving money and potentially even saving lives, following healthcare cybersecurity best practices inspires trust – and patients must expect that their information remains both private and secure in order to continue seeking care.
“If your patients don’t trust you, they’re not giving you their data, and if you don’t have their data, you can’t treat them,” said Anne Kimbol, Assistant General Counsel and Chief Privacy Officer at HITRUST. “It becomes a really important patient safety issue to make sure that your patients are comfortable sharing their very sensitive information with you because you need that in order to do your job and to help them, which is obviously the whole mission of the healthcare sector.”