Security threats are numerous, and with attacks coming from all angles it is important to conduct regular risk assessments; however, be sure to watch out for the commonest health IT security risks. They are often missed, even when risk assessments are conducted regularly.
Healthcare providers must protect against hackers, malicious insiders, device loss and theft, employee negligence, snooping on records, malware, viruses, and website glitches… the list goes on, and with so many threats it is all too easy to miss a few vulnerabilities. Unfortunately, the commonest health IT security risks are often the ones that are exploited by cybercriminals or result in breaches of PHI.
According to the Ponemon Institute’s Third Annual Benchmark Study on Patient Privacy & Data Security, 94% of healthcare companies have experienced at least one data breach in the past two years. There is a very clear and present danger of a data breach, and it is now highly probable that multiple data breaches will be suffered.
With budgets tight, it is important to concentrate resources on the biggest threats. With this in mind, consider the following 5 commonest health IT security risks when conducting your HIPAA risk assessments.
5 Commonest Health IT Security Risks
1. Unencrypted Portable Devices
Busy healthcare professionals, such as those working in Emergency Rooms, may at times have more pressing matters on their hands than the exact location of their laptop. Home visits often require healthcare workers to take portable devices with them; and those visits may not be in the most desirable neighborhoods. Companies operating BYOD schemes would probably prefer not to know details of where staff mobile phones are left during weekends off work.
Regardless of how much care is taken, portable devices will always be lost or stolen. For this reason, all portable devices used to store PHI, even in temporary files, should have all data encrypted. If a device is encrypted, loss or theft will not cause a data breach.
Not all encryption software is the same. National Institute of Standards and Technology (NIST) recommendations should be followed to ensure adequate protection is provided.
2. Insufficient Restrictions on PHI Access
HIPAA demands that PHI be protected and access restricted at all times. Data access should be on a “need to know” basis and any access rights should be limited to “the minimum necessary information” for a job to be performed. When a job no longer requires PHI access, access rights should be terminated.
These are standard security procedures but it is all too easy for errors to be made if strict policies are not followed.
3. Access Termination Policies do not Exist
When an employee’s contract is terminated, or a member of staff resigns, it is essential that access rights to data are blocked. Access to PHI must only be possible by authorized personnel; and as soon as any employee finishes working for a company, the IT department should be instructed to terminate access before that individual has left the building.
4. No BYOD Scheme in Operation
Healthcare workers use their personal mobile phones to communicate with friends, family and work colleagues. Mobile phones will be brought to work and used for personal communications, and often the devices are chosen over slow internal systems to communicate messages for work purposes.
This is likely to happen even if a BYOD policy is not in place. It is therefore better to implement a BYOD scheme and exercise control over the use of mobiles. By accepting that mobile devices will be used, it enables healthcare providers to enforce security controls on the devices to allow them to be used securely.
5. Mobiles are Used without a Secure SMS App
No device can be HIPAA-compliant if it allows an individual to bypass the safeguards and send PHI. However, healthcare providers should make it as easy as possible for communications to be sent securely, and hard for users to bypass security controls.
One of the easiest ways of preventing against HIPAA violations from mobile devices is to use a secure SMS app on all personal devices used by medical workers under a BYOD scheme. A secure SMS app can be used quickly and easily to communicate PHI securely as all data is encrypted. Secure SMS apps allow timely information can be sent to all members of a care team, improving efficiency and the care provided to patients. All without risking a HIPAA violation or data breach.