By: Shawn M. Frier, CPA, CFE, CMPE Director
The focus of protected health information (PHI) privacy has increased a great deal due to the rise in data breaches. In the last two years at least one case of PHI data breach has been noticed in almost 94% of healthcare practices. The magnitude and frequency of the breaches has increased to such an alarming rate that if this trend continues, the average annual cost to healthcare industries could reach $7 billion dollars.
PHI breaches can happen easily if you’re not aware of the risks that exist, both inside and outside of the practice. Encrypting data helps protect patient data and can help you avoid costly breaches. These breaches, while costly, are usually due to simple human error. For example, an employee might walk away briefly to fetch paperwork, mistakenly leaving a laptop with patient data open. It only takes a glance or a second to download or retrieve that data. Smartphone’s are another high concentrated area for data breaches. Unfortunately, multi-tasking is a necessity and many physicians and staff use Smartphone’s to conduct business due to their easy accessibility. But smartphones are just as easily accessible to a data breach. A report published 2012 by a South Florida Institute; found that 50% of breaches in 2011 were from laptops or mobile devices. 80% of organizations surveyed stated that they allowed employees to use their own mobile device, and had not taken steps to ensure data security for personal devices.
Determine what needs to be encrypted
Assess which technology poses the highest risk of being stolen or accessed by an unauthorized user. The most popular devices usually include phones, laptops, tablets and any portable hard or flash drive. You should put both physical and technical safeguards in place to minimize the amount of confidential data stored on encrypted devices. Steps healthcare providers can take to physically safeguard devices are:
- Keeping an inventory of personal mobile devices used by healthcare professionals to access and transmit PHI,
- Storing mobile devices in locked offices or lockers,
- Installing radio frequency identification (“RFID”) tags on mobile devices to help locate a lost or stolen mobile device and,
- Using remote shutdown tools to prevent data breaches by remotely locking mobile devices.
You can use technical safeguards such as accessing data on servers using remote access connection rather than downloading the data to a device. Other safeguards include:
- Installing and regularly updating anti-malicious software (also called malware) on mobile devices,
- Installing firewalls where appropriate,
- Applying encryption to PHI,
- Installing IT backup capabilities, such as off-site data centers and/or private clouds, to provide redundancy,
- Putting into place biometric authentication tools to verify the person using the mobile device is authorized to access the PHI and,
- Ensuring mobile devices use secure, encrypted Hypertext Transfer Protocol Secure (“HTTP”) similar to those used in banking and financial transactions.
Administrative safeguards are another reasonable approach when putting a plan together to secure data on mobile devices. For example, conducting periodic risk assessments of mobile device use, including an assessment of whether personal mobile devices are being used to exchange PHI and whether proper authentication, encryption and physical protections are in place to secure the exchange of PHI. Also establish an electronic process to ensure the PHI is not destroyed or altered by an unauthorized third party. These are just a few steps that administrators can take to help prevent or reduce data breaches within their practice.
If you have questions or concerns contact us here or give us a call at 716-847-2651.