was successfully added to your cart.

The Protected Health Information Cyber Attack Threat (Part 2)

By November 13, 2014Compliance

business man in office BE 1With the increasing use of EHRs, practices are facing increased liability with regard to breaches of Protected Health Information (ePHI).

At the same time, increased HIPAA and HITECH security regulations and penalties for violations, also increase the healthcare provider’s liability for breaches of ePHI.

In part two of this series we are discussing simple steps to reduce most major threats to the safety of your ePHI.

Limit Network Access:

Web 2.0 technologies like peer-to-peer file sharing and instant messaging are popular and make networking tools appealing.  Wireless routing is a quick and easy way to set up broadband capability within an office.

However, because the sensitivity of healthcare information is protected by law, small practices that intend to rely on wireless networking must use special precautions.

Unless the wireless router is secured, its signal can be picked up from some distance away, including, for example, the building’s parking lot, other offices in the same building, or even nearby homes.

Therefore, it is crucial to secure the wireless signal so that only those who are permitted to access the information can pick up the signal.

Devices brought into the practice by visitors should not be permitted access to the network, since it is unlikely that such devices can be fully vetted for security.

Setting up a network to safely permit guest access is expensive and time-consuming, so the best defense is to prohibit casual access.

In configuring a wireless network, each legitimate device must be identified to the router and only those devices are permitted access.

Peer-to-peer applications, such as file sharing and instant messaging can expose the connected devices to security threats and vulnerabilities, including permitting unauthorized access to the devices on which they are installed.

Make sure these applications have been installed, reviewed and approved. It is not sufficient to just turn these programs off or uninstall them. A machine containing peer-to- peer applications may have exploitable bits of code that are not removed even when the programs are removed and should be encrypted.

 

Mobile Device Protection:

  • Examples of mobile devices are laptop computers, handheld pads, smart phones, portable storage media (Disk, Thumb drives, external hard drives, etc.). They can make things easier, but they also present threats to information security and privacy. Some of these threats are similar to those of the desktop world, but others are unique to mobile devices.
  • Because of their very mobility, these devices are easy to lose and are very vulnerable to theft.
  • Mobile devices are more likely to be exposed to electro-magnetic interference (EMI), which can corrupt the stored information.
  • Not all mobile devices are equipped with strong authentication and access controls.
  • Mobile devices are frequently used to transmit and receive data wirelessly and must protect the information being intercepted.
  • Mobile devices that carry ePHI and that cannot support encryption should not be used. This includes thumb drives. Encrypted versions of these devices are available but are more expensive.
  • Staff members that that take ePHI home on mobile devices have responsibility for protecting patient data and must follow good security practices.
  • If it is necessary to remove a laptop containing ePHI from a secure area, the laptop’s hard drive should be encrypted.
  • Office Policies should specify all situations under which mobile devices can be removed from the facility, and care must be taken in developing and enforcing these policies.

 

In the next issue, we will go over a security risk analysis checklist to help you review your compliance activities.

If you would like to learn more about having an office that’s bullet proof, email me at drjohn@the complianceman.com to see if we can help you.

These are trying times for all doctors and ignoring the new regulations is no longer an option.

Again if you have any questions, don’t hesitate to contact me.

All The Best,

Dr. John Davenport

Chief Compliance Officer

Compliance & Auditing Services

Leave a Reply