Facebook

Twitter

YouTube

LinkedId

Blog

Latest Technologies, Industry Trends & Best Practices

5 Ways to Promote HIPAA Security Among Your Workforce Members

By Brand Barney, SecurityAnalyst, HCISPP, CISSP, QSA, at SecurityMetrics

Despite advances in HIPAA security and regardless of increased government cyber security initiatives via the Department of Health and Human Services (HHS), attackers continue to steal unprotected patient data. In 2016, medical and healthcare entities accounted for nearly 37% of reported data breaches (Identify Theft Resource Center). While the cause of these data breaches varies from one organization to the next, most security professionals consider workforce members to be the weakest link in Protech Health Information (PHI) security.

To minimize your organization’s risk for a data breach, I’d like to share five things you can do to foster a culture of security among your workforce members:

  1. Create Role-Based Access Controls

Everyone has their own unique role within a healthcare organization, from receptionists to nurses to surgeons. What would happen if the receptionist decided to switch roles with the surgeon for a day? I’d say you’re heading towards a malpractice lawsuit.

The same concept applies to staff accessing PHI. The term “access control” refers to the level of access to PHI by workforce members. When establishing access control in your organization, start by defining roles (e.g., receptionist, volunteer, third party IT), then establish user privileges accordingly. Workforce members should only have access to the minimum amount of information needed for their job role.

User access isn’t just limited to your normal office staff—it applies to anyone who needs permission to your systems or “behind the desk,” including the IT guy you hired to update your EMR software.

  1. Do not allow employees to share ID credentials

Each workforce member should have their own login IDs and passwords for computer, software, and physical access. For example, when using Startel Secure Messaging Plus (SM+), the IT administrator should make sure employees are given their own unique ID and password.

In some cases, the employees may share ID credentials because of the convenience factor. For example, a doctor’s office where the receptionists, medical assistants, and doctors all share one username and password to log on to their system. Sometimes this password is even written on a Post-it note and taped to the computer screen at the reception desk. Employees need to understand that sharing ID credentials is not a safe practice because this makes it easy for intruders, social engineers, and even disgruntled ex-employees to access sensitive information.

  1. Set up and monitor system logs

If you currently haven’t set up system logs, now is a great time to start. Event, audit, and access logging is a requirement for HIPAA compliance. System event logs contain information about actions taken on devices. For example, if I logged into my computer at 10:45AM, this event, date, and time should be recorded.

Make sure to assign someone to review your logs daily to search for errors, anomalies, or suspicious activity that deviate from normal security practices. Reviewing logs regularly can help you identify malicious attacks on your system and prevent data breaches from happening. They are also useful in determining the cause of breach in the event of a forensic investigation.

  1. Ensure your devices have automatic logouts

More often than not, data breaches are a result of small, easy-to-correct things that go unnoticed. For example, computers and devices need to have an automated logout (e.g., a password-protected screensaver that pops up on a computer after a set amount of time). This helps discourage thieves from trying to steal data when employees aren’t present.

Establish no longer than a five-minute time period before the device logs off and makes information inaccessible. High-traffic areas like reception desks should probably be limited to two minutes or less.

Some solutions already have automatic logouts enabled (like Startel’s Secure Messaging Plus Solution), while other programs may require manual configuration.  

  1. Conduct regular HIPAA trainings and tests

Last but certainly not least, conduct regular HIPAA trainings with your workforce members. Training will help remind your staff about security practices, showing them how to stop bad security behaviors.

It’s important that your workforce members actually absorb the information in the trainings. Make sure to establish some form of accompanying test to verify that your HIPAA trainings are being retained and that the money you spent on training is not going to waste. Some organizations may be tempted to just “check the box” when it comes to HIPAA compliance, but true data security requires that your employees be knowledgeable about HIPAA best practices.

CONCLUSION

By following these 5 tips, your workforce members will be better prepared to defend your organization against cyber criminals. Remember, it only takes one weak link to break a chain, so make sure employees know security best practices and take HIPAA compliance seriously.

Brand Barney (CISSP, HCISPP, QSA) is a Security Analyst at SecurityMetrics, and has over 10 years of data security experience. For more information about HIPAA compliance and data security, visit www.securitymetrics.com.

 

 

 

 

 

 

Contributors

William Lane, President & CEO of StartelBill Lane

I joined Startel in June, 2008. Prior to that, I served as the founder and president of Lentegra Corporation, a multi-million dollar financial services organization headquartered in Boston. I have also held senior management roles with Oracle, Microsoft Corporation, and FileNet Corporation, a document imaging and storage provider acquired by IBM. In my spare time I enjoy spending time with my family, reading and traveling.

Rachel Sauerbrey, Marketing ManagerRachel Sauerbrey

In my role I am focused on all strategic marketing efforts, including branding and messaging, communications, lead generation, social media, public relations and community service. Prior to Startel, I held marketing management positions with Alpine Access (acquired by Sykes Enterprises, Incorporated) and dvsAnalytics. When not blogging, you can find me with my friends and family, in a pilates class or on the beach!

Welcome to Startel’s Blog

Did you know that there are 152,000,000 blogs worldwide? Or that a blog is launched somewhere in the world every half of a second? I share this with you because our blog – this blog – is different (or so we’d like to think it is!).

At Startel, we are passionate about our industry and passionate to share what we’ve learned during our 30+ years of developing and integrating technology that helps organizations improve efficiency, increase productivity and enhance the customer experience.

Unlike most companies dipping their toes into the blogosphere for the first time, we have a lot to say. We have many blog-worthy ideas and can’t wait to get started! And with Startel’s President and CEO Bill Lane agreeing to be a regular contributor, you won’t be disappointed.

And with this initial post, we have set the bar high. We realize that with 152,000,000 other blogs (and counting!) available online we have a lot to live up to and we look forward to delivering.

With that, please subscribe to Startel’s blog! It will be the best decision you made all day.

Buy Our Solutions