The HIPAA Security Rule was enacted in 1996, designed to establish national standards to protect individuals’ electronic personal health information (PHI) used and/or stored by a covered entity.
Many healthcare organizations have complex technology environments, thus making it difficult for healthcare providers and business associates to comply with the HIPAA Security Rule policies and procedures.
These technology environments include multiple components, such as photocopiers, mobile devices, and networks. It’s important for healthcare organizations to examine these components and asses vulnerabilities where patient data is at risk of being accessed or exposed.
Photocopiers
Most photocopiers contain hard drives that allow the copier to scan, fax, and store documents. When documents are scanned, the hard drive often stores the images. This becomes a security risk and potential liability for the healthcare organization because photocopiers are usually re-leased or sold with the previous users’ data contained on the hard drive.
When the photocopier is re-leased or sold, there’s a significant chance for disclosure of personal health information. If the protected information becomes disclosed or corrupted, healthcare providers will be held liable for the security breach.
Healthcare providers must discuss the potential security risks with their IT providers, ensuring their IT department takes part in selecting, installing, and retiring photocopiers. When the photocopier must be retired, an IT professional should make sure the hard drive is wiped of all sensitive data.
Mobile Devices
A HIPAA violation can easily result from the loss or theft of a staff member’s mobile device. With the increasing use of mobile devices in the healthcare industry, it’s important to implement adequate security safeguards. For example, the device password must be difficult for an unauthorized user to guess. Some mobile devices have optional settings for wiping information from the phone if the wrong password is entered multiple times.
In addition, avoid using email on your mobile device, such as sending sensitive information unencrypted via your mobile device. Instead, use a cloud-based encryption or VPN. Make sure apps that transfer sensitive information require physical login credentials each time the app is entered. There are also many cloud-based apps to encrypt the data being transferred to and from your device. These apps are available for both Android and Apple phones.
Networks
In the healthcare industry, most, if not all computers will be connected to a network. Networks involve many security risks. It’s important for the network to be able to defend against attacks from authorized users’ and infiltration of unauthorized information through the routers. Often, this is accomplished through the use of firewalls, hardware, and software devices that protect the network from hackers and security risks.
Firewalls are commonly used to deny access to unauthorized applications and users. Most firewalls have the ability to create audit trails or logs that keep track of access to the network. It’s a good idea to discuss firewalls with your IT provider to ensure the firewall and network safeguards are kept up-to-date and robust.