Preventing Security Breaches With Technology-Based Safeguards

June 5, 2024

Reading time: 4 minutes

Portrait of smiling chiropractor using laptop.

Securing patients’ electronic protected health information (ePHI) continues to be a top priority for healthcare organizations and a requirement under federal and state privacy and security regulations. The need for vigilance in data security is emphasized by reports suggesting that health records can fetch up to $1,000 on the dark web.[1]

Persistent and growing cyberattacks attacks on healthcare systems further illustrate the need for healthcare leaders and staff members to take proactive steps to prevent theft of patient information and other sensitive data.

As healthcare organizations devise their security strategies, they will want to make sure their approaches are “flexible and resilient to address threats that are likely to be constantly evolving and multi-pronged.”[2]

The risk tips listed in this publication focus on technology-based strategies to prevent cyberattacks and protect patients’ ePHI. For more information about physical safeguards for preventing data breaches, see MedPro’s Preventing Security Breaches with Physical Safeguards.

  1. Conduct a security risk assessment to determine potential areas of vulnerability and to identify system and process gaps that compromise the privacy and security of protected and proprietary information. (The HIPAA Security Rule requires covered entities and their business associates to conduct risk assessments.[3])
  2. Develop written policies and procedures to prevent loss and theft of patient information and other sensitive data. Policies and procedures should comply with state and federal laws.
  3. Ensure that antivirus software and firewalls are properly installed on the organization’s computer network and are up to date. Contractual arrangements with technology and security vendors should specify the security results the organization hopes to achieve with its systems.
  4. Install password protection on all computers in the organization, develop thorough password policies, and implement password security best practices.
  5. Require all system users to establish strong passwords (i.e., passwords that have a minimum number of characters and require letters, numbers, and symbols) or passphrases (a sentence or a combination of words, numbers, and symbols).
  6. Determine under what circumstances and how often you want to require system users to change their passwords or passphrases. Although periodically changing passwords has long been considered a best practice, some guidance suggests it doesn’t improve security and actually may compromise it.[4] All policies should comply with state and federal regulations.
  7. Implement and require two-factor or multi-factor authentication technology for an added layer of protection at login. This method involves a password and at least one other identifying technique, such as an electronic identification card, key fob, or fingerprint recognition.
  8. Ensure that your organization’s computer operating systems, software applications, and network-connected devices are updated routinely and that security patches are installed when they become available.
  9. Implement controls that block malicious websites or consider even stricter limitations – e.g., only allowing access only to websites that are known to be secure (a process known as “whitelisting” ).
  10. Restrict user permissions on systems to prevent employees from downloading and installing software. Permissions should align with the functionality and access employees need to perform their jobs.
  11. Review your organization’s email security settings and spam filters to ensure the system is blocking emails with suspicious attachments and/or links, and make sure staff members are knowledgeable about common signs of phishing attacks.
  12. Consider implementing software to restrict access to USB ports and removable devices, which can help prevent unauthorized copying of data and transfer of computer viruses.
  13. Use encryption technology to protect stored and transmitted data. Consider anti-theft technology that can remotely delete or disable information from a device in the event of loss or theft.
  14. Tailor employees’ access to computer systems and electronic health records based on their roles and responsibilities. Limit users who can log in to your network via a remote connection.
  15. Enable system timeouts and record locks to prevent unauthorized access to patient data. Set a limit on how many times users can attempt to log in to the network before they are locked out of their accounts.
  16. Back up system data to a separate server on a regular basis so it can be restored if an incident, such as a ransomware attack, occurs. Keep backup information in a secure, protected location – preferably offsite. (Note: Only public information should be sent via anonymous file transfer protocol.)
  17. Establish mobile device policies and procedures, and ensure that all mobile device users are aware of these requirements.
  18. Be aware of, and plan for, privacy and security risks associated with emerging technologies, such as artificial intelligence and chatbots.
  19. Provide education on, and raise awareness of, your organization’s security policies and safeguards as well as best practices for cybersecurity and data protection. Conduct training during orientation and at least annually as part of in-service education.
  20. Report any suspicious activity, possible security breaches, or thefts (e.g., suspicious computer activity and missing records) to the appropriate authorities and organizations (e.g., law enforcement, the Office for Civil Rights, your professional liability company, etc.).
  21. Have an incident response team in place, and conduct incident response drills to identify potential security and policy gaps. The team should periodically review the organization’s incident response plan and procedures for handling cyberattacks, privacy violations, and other situations (such as physical theft or loss of data) that can result in data breaches.

Resources

For more information about safeguarding systems and protecting patient information, see MedPro’s Risk Resources: Cybersecurity.


[1] Takahama, E. (2024, February 25). Why health care has become a top target for cybercriminals. The Seattle Times. Retrieved from www.seattletimes.com/seattle-news/health/why-health-care-has-become-a-top-target-for-cybercriminals/

[2] American Hospital Association. (n.d.). Cybersecurity & risk advisory. Retrieved from www.aha.org/cybersecurity

[3] The Office of the National Coordinator for Health Information Technology. (2023, September 26 [last reviewed]). Privacy, security, and HIPAA: Security risk assessment. Retrieved from www.healthit.gov/topic/privacy-security-and-hipaa/securityrisk-assessment

[4] MacKay, J. (2023). Password policy best practices 2023. MetaCompliance. Retrieved from www.metacompliance.com/blog/cyber-security-awareness/password-policy-best-practices-2023; Microsoft. (2023, June 16). Password policy recommendations for Microsoft 365 passwords. Retrieved from https://learn.microsoft.com/enus/microsoft-365/admin/misc/password-policy-recommendations; Relias Media. (2018, March 1). NIST provides guidance on HIPAA passwords. Retrieved from www.reliasmedia.com/articles/142282-nist-provides-guidance-on-hipaa-passwords


Additional Risk Tips content

Risk Tips

In a chiropractic culture in which “blame and shame” are the default responses when patient harm events happen, providers may try to conceal their errors rather than report them.[i] As a result, chiropractic practices might be unable to accurately identify and address system failures that can compromise patient safety. During his testimony before the United States Congress in 1997, Dr. Lucian Leape, who is regarded as the father of the modern patient safety movement, pointed out the dangers of a punitive environment, stating that “The…

Risk Tips

With the prevalence of misinformation, outdated advice, and lack of expert opinion on social media, getting practice advice online can…

Risk Tips

Human trafficking has traditionally been viewed as a criminal/legal issue in the United States and abroad. More recently, however, trafficking…

This document should not be construed as legal or medical advice and should not be construed as rules or establishing a standard of care. Because the facts applicable to your situation may vary, or the laws applicable in your jurisdiction may differ, please contact your attorney or other professional advisors if you have any questions related to your legal or medical obligations or rights, state or federal laws, contract interpretation, or other legal questions.

MedPro Group is the marketing name used to refer to the insurance operations of The Medical Protective Company, Princeton Insurance Company, PLICO, Inc. and MedPro RRG Risk Retention Group. All insurance products are underwritten and administered by these and other Berkshire Hathaway affiliates, including National Fire & Marine Insurance Company. Product availability is based upon business and/or regulatory approval and may differ among companies.

© MedPro Group Inc. All rights reserved.