Preventing Security Breaches With Technology-Based Safeguards

Securing patients’ electronic protected health information (ePHI) continues to be a top priority for healthcare organizations and a requirement under federal and state privacy and security regulations. The need for vigilance in data security is emphasized by reports suggesting that health records can fetch up to $1,000 on the dark web.^[1]

Persistent and growing cyberattacks attacks on healthcare systems further illustrate the need for healthcare leaders and staff members to take proactive steps to prevent theft of patient information and other sensitive data.

As healthcare organizations devise their security strategies, they will want to make sure their approaches are “flexible and resilient to address threats that are likely to be constantly evolving and multi-pronged.”^[2]

The risk tips listed in this publication focus on technology-based strategies to prevent cyberattacks and protect patients’ ePHI. For more information about physical safeguards for preventing data breaches, see MedPro’s Risk Tips: Using Physical Safeguards to Prevent Security Breaches.

1. Conduct a security risk assessment to determine potential areas of vulnerability and to identify system and process gaps that compromise the privacy and security of protected and proprietary information. (The HIPAA Security Rule requires covered entities and their business associates to conduct risk assessments.^[3])
2. Develop written policies and procedures to prevent loss and theft of patient information and other sensitive data. Policies and procedures should comply with state and federal laws.
3. Ensure that antivirus software and firewalls are properly installed on the organization’s computer network and are up to date. Contractual arrangements with technology and security vendors should specify the security results the organization hopes to achieve with its systems.
4. Install password protection on all computers in the organization, develop thorough password policies, and implement password security best practices.
5. Require all system users to establish strong passwords (i.e., passwords that have a minimum number of characters and require letters, numbers, and symbols) or passphrases (a sentence or a combination of words, numbers, and symbols).
6. Determine under what circumstances and how often you want to require system users to change their passwords or passphrases. Although periodically changing passwords has long been considered a best practice, some guidance suggests it doesn’t improve security and actually may compromise it.^[4] All policies should comply with state and federal regulations.
7. Implement and require two-factor or multi-factor authentication technology for an added layer of protection at login. This method involves a password and at least one other identifying technique, such as an electronic identification card, key fob, or fingerprint recognition.
8. Ensure that your organization’s computer operating systems, software applications, and network-connected devices are updated routinely and that security patches are installed when they become available.
9. Implement controls that block malicious websites or consider even stricter limitations – e.g., only allowing access only to websites that are known to be secure (a process known as “whitelisting” ).
10. Restrict user permissions on systems to prevent employees from downloading and installing software. Permissions should align with the functionality and access employees need to perform their jobs.
11. Review your organization’s email security settings and spam filters to ensure the system is blocking emails with suspicious attachments and/or links, and make sure staff members are knowledgeable about common signs of phishing attacks.
12. Consider implementing software to restrict access to USB ports and removable devices, which can help prevent unauthorized copying of data and transfer of computer viruses.
13. Use encryption technology to protect stored and transmitted data. Consider anti-theft technology that can remotely delete or disable information from a device in the event of loss or theft.
14. Tailor employees’ access to computer systems and electronic health records based on their roles and responsibilities. Limit users who can log in to your network via a remote connection.
15. Enable system timeouts and record locks to prevent unauthorized access to patient data. Set a limit on how many times users can attempt to log in to the network before they are locked out of their accounts.
16. Back up system data to a separate server on a regular basis so it can be restored if an incident, such as a ransomware attack, occurs. Keep backup information in a secure, protected location – preferably offsite. (Note: Only public information should be sent via anonymous file transfer protocol.)
17. Establish mobile device policies and procedures, and ensure that all mobile device users are aware of these requirements.
18. Be aware of, and plan for, privacy and security risks associated with emerging technologies, such as artificial intelligence and chatbots.
19. Provide education on, and raise awareness of, your organization’s security policies and safeguards as well as best practices for cybersecurity and data protection. Conduct training during orientation and at least annually as part of in-service education.
20. Report any suspicious activity, possible security breaches, or thefts (e.g., suspicious computer activity and missing records) to the appropriate authorities and organizations (e.g., law enforcement, the Office for Civil Rights, your professional liability company, etc.).
21. Have an incident response team in place, and conduct incident response drills to identify potential security and policy gaps. The team should periodically review the organization’s incident response plan and procedures for handling cyberattacks, privacy violations, and other situations (such as physical theft or loss of data) that can result in data breaches.

Resources

For more information about safeguarding systems and protecting patient information, see MedPro’s Risk Resources: Cybersecurity.

[1] Takahama, E. (2024, February 25). Why health care has become a top target for cybercriminals. The Seattle Times. Retrieved from www.seattletimes.com/seattle-news/health/why-health-care-has-become-a-top-target-for-cybercriminals/

[2] American Hospital Association. (n.d.). Cybersecurity & risk advisory. Retrieved from www.aha.org/cybersecurity

[3] The Office of the National Coordinator for Health Information Technology. (2023, September 26 [last reviewed]). Privacy, security, and HIPAA: Security risk assessment. Retrieved from www.healthit.gov/topic/privacy-security-and-hipaa/securityrisk-assessment

[4] MacKay, J. (2023). Password policy best practices 2023. MetaCompliance. Retrieved from www.metacompliance.com/blog/cyber-security-awareness/password-policy-best-practices-2023; Microsoft. (2023, June 16). Password policy recommendations for Microsoft 365 passwords. Retrieved from https://learn.microsoft.com/enus/microsoft-365/admin/misc/password-policy-recommendations; Relias Media. (2018, March 1). NIST provides guidance on HIPAA passwords. Retrieved from www.reliasmedia.com/articles/142282-nist-provides-guidance-on-hipaa-passwords