A hospital in Massachusetts learned the hard way that just because you don’t get breached doesn’t mean you won’t get fined by Department of Health and Human Services (HHS) for failure to meet HIPAA cyber security guidelines!
In this case, the issue was the use of potentially unsafe methods for sharing and storing ePHI on a web-based document sharing application. It’s important to note that when employees are not provided with a secure option, they will often resort to finding a method on their own, which puts the organization at risk for both potential loss of data and monetary sanctions.
There are a number of steps you can take to protect your organization:
1) Encrypt files both in transmission and at rest so that even if data is accessed, it will not be usable. Include authentication to ensure that only the intended recipient(s) can access the files.
3) Remove sensitive files once they have been received. Many secure transmission services offer the option to auto-delete files after 30, 60 or 90 days.
4) Consider the use of Data Loss Prevention (DLP) solutions that can help track when files meeting certain criteria (containing social security #s or medical info for example) are sent. These solutions can help avoid data being transmitted insecurely.
5) Make sure malware protection is in place to prevent incoming files from infecting your network.
6) Educate your users! Provide cyber security awareness training and a written cyber security policies that is signed by every staff member. User error is your biggest risk, and what they don’t know about cyber security can cost you.
7) Get an outside security review. at least annually to review your cyber security practices, look for vulnerabilities that your internal team may have missed, and provide an overall risk rating and recommendations for improvements where needed.