Holistic, comprehensive security strategies, centered on protecting data, not devices, are easier than ever thanks to current encryption technology. According to a recent Ponemon Institute study, over the last five years healthcare organizations have slowly increased their investment in data security along with new technologies to better protect Protected Health Information (PHI).
Pre-emptive data encryption is one such way to protect against data loss, but it’s a single – though important – piece of the security puzzle. To best protect PHI and prevent the potentially devastating consequences of a HITECH enforcement violation, security insiders recommend taking a holistic approach to security.
The following 6 best practices from data security experts are proven to help organizations take the strongest possible measures to safeguard PHI.
1. Make security a business goal
Shift the paradigm from short-term cost-benefit analysis and more typical reactive approaches by reframing the conversation around data security as a business imperative. The need to protect PHI can and does impact revenue, so ensure your organization gives due investment to the human and technological resources necessary to create a greater data security fortress.
2. Communicate the imperative
In order for security guidelines to be widely adopted across organizations, all employees, contractors and subcontractors must be brought up to speed with proper training and ongoing reminders. If guidelines are to be optimally adopted, it’s also worth considering introducing clearly defined consequences for different types of infractions.
3. Address the BYOD risk
While it may not seem as easy to control the flow of data on employees’ own devices, the risk can often be mitigated with a good encryption solution, which can provide both full and partial disk encryption. Sufficient controlled access can also facilitate fluidity for practitioners working via mobile devices, allowing them to access data but not download it off the system.
4. Don’t forget about business associates
Employees aren’t the only ones who must apply by HIPAA standards – the rules apply to business associates and their subcontractors too. But a substantial percentage of contractors are not aware of their obligations. Make sure that your efforts are extended to all parties who handle your organization’s PHI, including external vendors. Keeping an agreement on file for them to sign can help promote better enforcement.
5. Consider a re-org
If your organization hasn’t already done so, consider having the IT privacy and security chief report directly to the board of directors. Routine briefings to the board or CEO on critical current data security issues can help key executives stay abreast of these issues and support a more informed and relevant data security strategy.
6. Don’t just forget about it
A holistic approach to data security means more than introducing a framework of guidelines and moving on. Like many organizations, technology and risks are ever-evolving, and as such, security measures require ongoing review and evaluation to ensure they continue to be up to the task. Make privacy and security risk assessment an annual (or periodic) occurrence, to better gauge ongoing performance and consider how to address new risks.
The healthcare environment is a matrix of interrelated data that flows from patients/customers to physicians, diagnostic clinicians, lab techs, pharmacists, medical insurance billing specialists, in-home care providers, convalescent and/or rehab facilities, outpatient clinics, permanent and visiting nurses and various business associates and subcontractors.
Synchronizing these many interdependent institutions may seem to be an impossible feat, but effective data security means shifting objectives beyond mere data security compliance and towards the best long-term data security strategy. Comprehensive strategies, centered on protecting data, not devices, are easier than ever thanks to current data encryption technology.