San Antonio, TX
Rx Technology works with dozens of medical organizations daily on securing Patient Health Information (PHI). Often when we begin medical staff and administrators don’t understand the complexities of network communication and often fail to comply with all of the requirements. We would be the first to admit that they aren’t always that easy to follow, and the landscape of data management changes frequently like most HIPAA rules as the applications and workflows change. We want to share with everyone the basics of securing PHI and making sure your organization, if they handle patient information, is securely handling that information.
1. Find a partner for IT support like Rx that handles HIPAA information frequently for guidance. A good Managed Service Provider (MSP) should have a Business Associate Agreement (BAA) in place to be a responsible handler of PHI and securing all medical information. While it is still your responsibility to identify and categorize what information is sensitive, the MSP should be able to secure all of your data to avoid any non-compliance fines.
2. Unique user identification. Every person that touches PHI or any medical systems or EMR absolutely must have their own username and password. Ten percent of all breaches are caused by users, it is imperative that we’re able to identify the offending party and train them how to properly handle sensitive information. More importantly, HHS mandates that unique logins are a critical first step in securing data. No sharing one username for multiple users!
3. Emergency access procedure is required. You need a good recovery plan in place in the event of disaster or server failure. You need a good backup, but just as importantly a way to access that data securely in event of an emergency. This is often overlooked since tape backups or hard drive backups should be encrypted and provide no immediate recovery or data access without a lengthy time period to recover information. An onsite or remote recovery portal with a unique login with access to patient information is imperative.
4. Automatic logoff is mandatory. What can we say, it is difficult to ask employees to log in every five minutes but when it comes to PHI it’s another mandatory factor to address. We have several tools to automatically put up a lock screen within a minute of non-activity on a monitor to prevent unauthorized access. We know it’s rough, alternatively, the fines that come with it are much more than any reason not to comply. This also helps to ensure rule #2 above by disallowing users to share a desktop with the same username logged on.
5. Encryption is a must. Data must be encrypted at rest (on the desktops hard drive) and in transit (while being moved from desktop to another location like a server file share). There isn’t always an easy way to know if this is being done or not. There are several tools that Rx uses to encrypt data on the hard drive and makes sure that there is a HIPAA compliant solution for storing or moving that data from one desktop to another. It is just one other reason to partner with a reliable MSP that has a track record of dealing with PHI and HIPAA compliance.
6. Audit controls are required. This is the most overlooked item in compliance we find as we move between medical offices. There are no controls to see what users can access what systems, or even desktops with PHI on them. Should person A have access to server files in a share? What if they have access to log on a PC with PHI and they aren’t part of the medical staff? How can you check? Rx uses sophisticated applications that track where data is stored, who accesses it, and any anomalies related to network activity that appear suspicious. This allows us to automatically create a ticket to review and either clear or escalate a suspicious action. This brings data security to a new level and makes sure that medical environments are protected by keeping an eye on the network 24/7.
While these aren’t all the areas we need to address when working in environments that handle PHI, they are the first thing we look for. With Rx Technology’s ability to share costs for expensive scanning and monitoring applications across hundreds of customers we bring an incredible economy of scale that gives the customer flexibility to enjoy the very best protections without a huge capital expense. Contact Rx today to discuss how we can help you better secure medial data!