Eight Breach Prevention Tips

Don't Overlook These Breach Prevention Measures
Eight Breach Prevention Tips
To prevent healthcare information breaches, a growing number of organizations are encrypting information stored on laptops and other portable devices. As they prepare comprehensive risk management strategies, however, hospitals, clinics and others must make sure they don't overlook other important breach prevention steps, security experts advise.

Following are eight breach prevention tips gathered at the recent Healthcare Information and Management Systems Society Conference. These steps also can play an important role in complying with the privacy and security provisions of HIPAA and the HITECH Act.

1. Make Broader Use of Encryption

Adam Greene, senior health information technology and privacy specialist at the Department of Health and Human Service's Office for Civil Rights, points out that although HIPAA and the HITECH Act don't explicitly mandate the use of encryption, the HIPAA security rule makes encryption "addressable," meaning that "it's required if it's reasonable and appropriate." He added, "For electronic health records, it is generally reasonable and appropriate to encrypt."

Terrell Herzig, information security officer at UAB Medicine, urges hospitals, clinics and others to expand encryption beyond mobile devices and desktops to include USB drives, CDs and DVDs as well (See: Overlooked Breach Prevention Steps).

And far too many organizations are neglecting to use secure e-mail, says Willie Williams III, managing partner at The Kiran Consortium Group. Including patient information in e-mail that lacks encryption is extremely risky and can lead to a breach, he stresses.

2. Use Business Associate Agreements

Although pending HIPAA modifications make it clear that business associates must now comply with HIPAA, business associate agreements still are essential, Greene says. The agreements offer an "important opportunity" to spell out the role of the business associate in protecting patient information and preventing breaches, he stresses.

Williams points out that hospitals, for example, should "write into their business associate agreements how their partners, including consultants, will protect any patient information they remove from the hospital on a laptop."

3. Consider Role of Cloud Computing

Consultant Patricia Dodgen of Hielix advises smaller clinics to consider using the software-as-a-service model of cloud computing when adopting EHRs because it offers a level of security that clinics cannot provide on their own servers. She also says remotely hosted EHRs offer better backup services (See: EHRs and Cloud Computing).

But Feisal Nanji, executive director at the security consulting firm Techumen, urges healthcare organizations to require that cloud computing vendors "provide detailed documentation of how they are protecting their data centers" to prevent breaches. He also says those considering using cloud computing should get a clear understanding of "how computers will be authenticated to either provide information or receive it."

A recent New York health information breach involving the theft of unencrypted backup tapes, which may have affected as many as 1.7 million individuals, may lead more organizations to consider investigating using backup storage in the cloud.

"Many organizations are phasing out physical backup media in favor of backup over the Internet," says security specialist Kate Borten, president of The Marblehead Group. "Of course, that has its risks too, unless proper security measures are followed." (See: Privacy Protections for Backup Files)

4. Use Two-Factor Authentication

Using two-factor authentication can support efforts to more effectively control access to protected health information and prevent breaches, says Herzig of UAB Medicine. The integrated delivery system in Birmingham, Ala., recently shifted from hardware tokens to software tokens that run on mobile devices.

"We received complaints about the inconvenience of hardware tokens," Herzig says. As more clinicians were using a variety of mobile devices to remotely access patient information, UAB determined that an applet that generates a one-time password on any mobile device would be more practical, he explains.

5. Develop a Social Media Policy

Lee Aase, director of the Mayo Clinic Center for Social Media, advises healthcare organizations that are making broader use of social media to educate staff members about appropriate uses of the new media by using a combination of blogs, webcasts, conferences and other options (See: Mayo Clinic's Insights on Social Media).

Mayo's social media guidelines are based on its existing, broader policies regarding maintaining patient privacy, guarding trade secrets, using the Internet during work hours and other issues, Aase points out. He also stresses the need to develop a corporate culture that emphasizes serving the best interests of patients, including maintaining their privacy.

6. Monitor Document Shredding

Shredding documents is an effective strategy to protect the privacy of personal information and prevent breaches, says UAB's Herzig. But when his organization audited the work of its new shredding vendor, "we discovered that in actuality they were leaving a lot of the material in an unsecure location to pre-stage it," he says.

"It's a case in point. You have to audit every one of your security controls to make sure they are operational and effective."

7. Destroy Unused Drives, Tapes

Herzig also says hospitals need to develop more effective, affordable methods to properly dispose of unused media, such as hard drives or backup tapes. He says degaussing magnetic storage media can prove difficult, and overwrites of data can be time-consuming.

So instead, UAB uses an onsite industrial crusher to destroy old drives. "We pulverize our hard drives into half-inch squares," he says. By destroying drives onsite, UAB can easily track the chain of custody and issue a certificate of destruction, he adds.

8. Use DLP as Educational Tool

UAB generates weekly security reports using a data loss prevention application. For example, the reports pinpoint inappropriate uses of e-mail that were prevented.

"We sanitize the data in these reports and use it in our corporate compliance education courses," Herzig says. Such educational efforts can play a critical role in preventing breaches, he adds.

About the Author

Howard Anderson

Howard Anderson

News Editor, ISMG

Howard J. Anderson is news editor of Information Security Media Group and was founding editor of HealthcareInfoSecurity and DataBreachToday. He has more than 34 years of journalism experience, with a focus on healthcare information technology issues. Before launching HealthcareInfoSecurity, he served as founding editor of Health Data Management magazine, where he worked for 17 years, and he served in leadership roles at several other healthcare magazines and newspapers.

Around the Network