SIIM 2015: Top 10 health IT security points to remember
National Harbor, Md.—When it comes to data breaches in healthcare, learn from the mistakes of others. That was the message during a presentation on IT security at the Society for Imaging Informatics in Medicine (SIIM) 2015 annual meeting.
That and don’t share your passwords.
Helen Oscislawski, Esq., of Oscislawski LLC, gave a list of the top 10 IT security concepts to remember, peppering the presentation with tales of things gone terribly wrong. Big breaches, such as when hackers nabbed information on potentially 80 million Anthem health plan members, grab the headlines, but smaller scale breaches of security can have serious consequences for providers and patients. Oscislawski shared the story of one health care worker who allowed a friend to use her system credentials to snoop on the records of a patient. This patient was dating the snooper’s son, the story got out, and logs of access using the login credentials meant there was nowhere for either party to hide.
With that setting the stage, here’s Oscislawski’s top 10:
10: HIPAA Security Audit—This federal regulation (45 CFR 164.306) provides specification on the technical, administrative and physical specification of implementing security standards. It can help evaluate the likelihood and impact of risks to electronic protected health information (ePHI), but Oscislawski stressed that this audit should be an ongoing process that is updated in response to change, not a “one-and-done” event. “This is a good place to start to wrap your head around what is required of you,” she said.
9: HHS Resolution Agreements—Here’s where you can see enforcement examples and learn from the mistakes of others. Oscislawski noted that There have been 25 settlements over the last seven years, and that the amount collected in the last 12 months ($7.7 million) was a nearly double the preceding year (just under $4 million).
8: Big Breaches—Another chance to learn from the mistakes of others. Don’t just shake your head at the news of breaches like the one at Anthem or Premera Blue Cross (which potentially affected 11 million people), follow the stories, learn what went wrong, and make sure your organization doesn’t fall into the same trap.
7: Business Associates—Access for business associates is difficult to manage, but essential to control, said Oscislawski. Learn who has the authority to contract with a business associate and make sure contractual language follows HIPAA standards to shift responsibility and liability.
6: Social Media & the Internet—Today there is a blurred line between physicians and their patients or their friends when it comes to communicating through social media. Make sure you don’t make any missteps, reveal too much personal information or share images that aren’t deidentified (even if you think you’ve wiped protected info from a personal photo you’ve snapped in the office, zoom in and make sure there’s no patient information visible in the background).
5: No Snooping—No favors for a friend and don’t let curiosity get the best of you when it comes to information on patients you aren’t caring for.
4: Email and Texting—Consumer email services like Gmail and Yahoo are unsecure, as is traditional text messaging. There are HIPAA-compliant texting and Direct Messaging solutions. Use those instead.
3: Encrypt—Encryption is a safe harbor, says Oscislawski. One of the focus areas for the Department of Health and Humans Services (HHS) and the Office for Civil Rights (OCR) encryption and stolen or lost laptops. “If the device is not encrypted, if it’s not configured for encryption…it shouldn’t be housing ePHI,” she said.
2: Report Breaches—Internal reporting is critical, and failing to discover breaches or reporting them late to HHS can have consequences. “The date upon which an employee gains knowledge of a breach or a security incident starts the time ticking for when [the organization] has to report that to HHS,” cautioned Oscislawski.
1: Educate and Train—An organization’s culture flows from the policies and processes that are in place. Make sure to train employees, post security reminders and stay on top of the latest hacker strategies, such as new phishing scam techniques.