- Healthcare data security is an ever-evolving area, with covered entities constantly working to ensure that they have the necessary tools in place to keep patient data safe.
Over the past year, data breaches continued to be a hot topic in healthcare, with a larger focus on ransomware and how that may affect organizations. The latest round of OCR HIPAA audits has also captured the attention of HealthITSecurity.com’s readers, and will likely continue into 2017 as more entities come under scrutiny.
The push for interoperability and mobility has also affected covered entities and their business associates. More providers and hospitals are looking toward smartphones, tablets, and other devices to improve patient care and simplify daily operations. However, mobile security issues will naturally arise, and organizations need to ensure that PHI security is not compromised in the push to stay innovative.
HealthITSecurity.com readers have been working hard all year to ensure they are brushed up on the latest techniques for maintaining HIPAA compliance and what the potential data security threats may be.
Here is our countdown of the top 10 articles of 2016.
After promising for months to release details on Phase 2 of its HIPAA audit program, the Office for Civil Rights (OCR) announced in March what the next steps would be and how organizations needed to prepare themselves for a potential audit.
There will be a three step process, starting with a small desk audit and then a more in-depth desk audit. The in-depth desk audit will review organizations’ compliance with the various HIPAA security, privacy, and breach notification rules. The final phase will include a more general audit examining broad HIPAA compliance across all aspects of the healthcare organization.
“The aggregated results of the audits will enable OCR to better understand compliance efforts with particular aspects of the HIPAA Rules,” OCR explained on its website. “Generally, OCR will use the audit reports to determine what types of technical assistance should be developed and what types of corrective action would be most helpful.”
Even before the release of Phase 2, organizations had been planning ahead and working to ensure that they would be HIPAA compliant.
HealthITSecurity.com contributor Keith Tyson discussed key steps for covered entities and business associates, and how a combination of the right tools, policies, and enforcement, healthcare organizations can better minimize cyber risk.
Properly implementing corrective steps, having a security incident management plan, and updating a security program following environmental changes are a few of the recommended steps to keep your healthcare organization’s data security up to date.
To gain a better perspective of how healthcare organizations approach data security and HIPAA regulations, HealthITSecurity.com quizzed readers earlier this year about their current approach to HIPAA compliance and their use of mobile technology and secure messaging.
External data security threats, employee training, and evolving technology were all top concerns for HIPAA compliance.
In terms of OCR HIPAA audits, 43 percent of respondents said that technical safeguards were the most difficult aspect, while 39 percent said administrative safeguards were the most difficult.
For mobile technology, 45 percent of those surveyed said that it was “very important” to their practice, while nearly one-third of respondents said that mobile device usage was “important,” and 12 percent calling it “very unimportant.”
Are you unsure of how HIPAA regulations apply to mobile devices?
HealthITSecurity.com broke down the basics of HIPAA regulations as they apply to mobile devices, and reviewed additional regulations that have been put in place to further guide healthcare organizations.
St. Joseph Health System agreed to a $7.5 million settlement stemming from a healthcare data breach from 2012 where PHI was made available via internet search engines.
The class-action lawsuit had alleged that PHI was made available via internet search engine. Danna Graewingholt, one of the class members, discovered the breach and found her health information was available online.
The breach reportedly resulted in 31,802 potentially affected individuals.
In November, OCR became the victim of an attempted phishing scam that used Department of Health and Human Services (HHS) letterhead.
“The email prompts recipients to click a link regarding possible inclusion in the HIPAA Privacy, Security, and Breach Rules Audit Program,” OCR warned. “The link directs individuals to a non-governmental website marketing a firm’s cybersecurity services.”
The email was targeting HIPAA covered entities and business associates.
OCR explained that the email in question “prompts recipients to click a link regarding possible inclusion in the HIPAA Privacy, Security, and Breach Rules Audit Program, and directs individuals to a non-governmental website, marketing a firm’s cybersecurity services.”
As ransomware attacks continued to plague healthcare in 2016, a large debate was whether or not they qualified as a HIPAA data breach.
While HHS eventually released guidance on this very issue, HealthITSecurity.com contributor Jack Barkly tackled the topic in April. Barkly maintained that ransomware attacks need to be “disclosed as unauthorized exposures of private information because they are every bit as dangerous as the outright theft of the laptop, desktop, or server that they infect.”
A Symantec report in April found that healthcare data breaches were the most common type of data security incident reported in 2015.
In total, there were 120 healthcare data breaches reported in 2015, which was the largest number of data breaches across all industries studied. Researchers found that more cybercriminals used more zero-day attacks in 2015, including phishing scams and ransomware.
The number of zero-day vulnerabilities in 2015 increased by 125 percent from one year previously.
Social media use is also on the rise, and the healthcare industry is not exempt from this trend. However, employees need to be especially careful in how they use social media platforms, and ensure that PHI security still remains a top priority.
HealthITSecurity.com contributor Savannah Myer explained that healthcare marketers have a huge opportunity to increase awareness of its hospital or health systems offerings by engaging with consumers through this platform. HIPAA regulations though cannot be overlooked, and Myer broke down top tips balance HIPAA compliance with social media activity.
More organizations are beginning to consider secure texting and secure messaging options. However, covered entities and business associates need to understand the basics, and how to choose an approach that will not impede daily operations but also keep data secure.
HealthITSecurity.com spoke with secure texting and secure messaging experts to better understand what entities need to consider with mobile technologies, and how to ensure that employees are properly trained any new system.
Overall, the proper communication tools and channels help providers communicate, collaborate and deliver care across the continuum.