By Brand Barney, SecurityAnalyst, HCISPP, CISSP, QSA, at SecurityMetrics
Despite advances in HIPAA security and regardless of increased government cyber security initiatives via the Department of Health and Human Services (HHS), attackers continue to steal unprotected patient data. In 2016, medical and healthcare entities accounted for nearly 37% of reported data breaches (Identify Theft Resource Center). While the cause of these data breaches varies from one organization to the next, most security professionals consider workforce members to be the weakest link in Protech Health Information (PHI) security.
To minimize your organization’s risk for a data breach, I’d like to share five things you can do to foster a culture of security among your workforce members:
- Create Role-Based Access Controls
Everyone has their own unique role within a healthcare organization, from receptionists to nurses to surgeons. What would happen if the receptionist decided to switch roles with the surgeon for a day? I’d say you’re heading towards a malpractice lawsuit.
The same concept applies to staff accessing PHI. The term “access control” refers to the level of access to PHI by workforce members. When establishing access control in your organization, start by defining roles (e.g., receptionist, volunteer, third party IT), then establish user privileges accordingly. Workforce members should only have access to the minimum amount of information needed for their job role.
User access isn’t just limited to your normal office staff—it applies to anyone who needs permission to your systems or “behind the desk,” including the IT guy you hired to update your EMR software.
- Do not allow employees to share ID credentials
Each workforce member should have their own login IDs and passwords for computer, software, and physical access. For example, when using Startel Secure Messaging Plus (SM+), the IT administrator should make sure employees are given their own unique ID and password.
In some cases, the employees may share ID credentials because of the convenience factor. For example, a doctor’s office where the receptionists, medical assistants, and doctors all share one username and password to log on to their system. Sometimes this password is even written on a Post-it note and taped to the computer screen at the reception desk. Employees need to understand that sharing ID credentials is not a safe practice because this makes it easy for intruders, social engineers, and even disgruntled ex-employees to access sensitive information.
- Set up and monitor system logs
If you currently haven’t set up system logs, now is a great time to start. Event, audit, and access logging is a requirement for HIPAA compliance. System event logs contain information about actions taken on devices. For example, if I logged into my computer at 10:45AM, this event, date, and time should be recorded.
Make sure to assign someone to review your logs daily to search for errors, anomalies, or suspicious activity that deviate from normal security practices. Reviewing logs regularly can help you identify malicious attacks on your system and prevent data breaches from happening. They are also useful in determining the cause of breach in the event of a forensic investigation.
- Ensure your devices have automatic logouts
More often than not, data breaches are a result of small, easy-to-correct things that go unnoticed. For example, computers and devices need to have an automated logout (e.g., a password-protected screensaver that pops up on a computer after a set amount of time). This helps discourage thieves from trying to steal data when employees aren’t present.
Establish no longer than a five-minute time period before the device logs off and makes information inaccessible. High-traffic areas like reception desks should probably be limited to two minutes or less.
Some solutions already have automatic logouts enabled (like Startel’s Secure Messaging Plus Solution), while other programs may require manual configuration.
- Conduct regular HIPAA trainings and tests
Last but certainly not least, conduct regular HIPAA trainings with your workforce members. Training will help remind your staff about security practices, showing them how to stop bad security behaviors.
It’s important that your workforce members actually absorb the information in the trainings. Make sure to establish some form of accompanying test to verify that your HIPAA trainings are being retained and that the money you spent on training is not going to waste. Some organizations may be tempted to just “check the box” when it comes to HIPAA compliance, but true data security requires that your employees be knowledgeable about HIPAA best practices.
By following these 5 tips, your workforce members will be better prepared to defend your organization against cyber criminals. Remember, it only takes one weak link to break a chain, so make sure employees know security best practices and take HIPAA compliance seriously.
Brand Barney (CISSP, HCISPP, QSA) is a Security Analyst at SecurityMetrics, and has over 10 years of data security experience. For more information about HIPAA compliance and data security, visit www.securitymetrics.com.