This month, we devoted multiple blog posts to covering major HIPAA violations and their penalties. Today’s post will explain the most common causes of breaches and the easiest ways to prevent them. Internal actors are more likely to cause a data breach than external factors.1 This means that most of the time, a data breach occurs because employees accidentally leak PHI. In 2017, researchers at Beazley Group found that unintended disclosure caused 41% of breaches. This is often a result of employees sending PHI through unsecured channels, like unencrypted email or texting. According to the same study, 19% of all breaches are due to hacking and malware incidents.2 Here are ten measures you can take to protect your business:
1. Encrypt All Emails Containing PHI
HIPAA law requires that you protect PHI you come into contact with at rest, in storage, and in transit. An employee can cause a breach by accidentally sending a message containing PHI to the wrong address. However, encrypting emails prevents unintended recipients from being able to open the message and access the PHI it contains.3 You can read about our recommended email encryption vendors here.
2. Always Have a Signed BAA/BSA
If you use any third-party vendors that may come into contact with PHI, you must have a signed Business Associate or Business Associate Subcontractor Agreement. If a business associate or one of their subcontractors compromises protected information and you do not have a signed agreement, you can be held liable for their mistake. Therefore, having a signed agreement protects you from facing the consequences of their mistakes. For example, accountants, attorneys, IT vendors, email encryption providers, and shredding companies are all business associates/business associate subcontractors.4
3. Do Not Use Texting to Transmit PHI
Though it is convenient, texting is not a secure way to send confidential information. Protecting PHI in this medium is almost impossible. Accidentally sending information to the wrong recipient is very easy to do, and you cannot encrypt text messages like emails. While it may seem like text messages travel directly from one mobile device to another, the message actually moves through several points in transmission, and it can be intercepted anywhere along the way. Avoid transmitting PHI through texting altogether because it is simply too risky.5
4. Train Employees to Recognize Phishing Scams
Employees need to understand what phishing is to avoid accidentally giving hackers information they need to access your secure databases. Phishing emails often look like legtimate messages asking for login credentials. Employees should report emails asking for their information and avoid clicking on any links from mysterious senders.6 An annual study conducted by MediaPro found that 18% of survey participants clicked on links from unknown senders. Additionally, the 2018 results showed an increase in the number of employees who answered questions about phishing incorrectly, up from 8% to 14% compared to the previous year.7
5. Use Firewalls and Antivirus Software
Using firewalls and antivirus software is also an effective way to prevent ransomware and brute force attacks. Your software must be updated regularly because hackers are always developing new scamming methods. There is no one method that can protect against these kinds of attacks, so these strategies should be used in unison.6
6. Review Cybersecurity Policies with Staff on a Regular Basis
Documenting your cybersecurity policies is not enough. Your staff must always be up to date on the rules and regulations you have put in place to keep the company safe. If an employee does not know the rules, they may inadvertently break them.
7. Dispose of Records and Devices Securely
Paper records and electronic devices can cause a data breach if the PHI is not properly removed. This includes laptops, desktops, smartphones, printers, copiers, USB (thumbs) drives, and servers. Dispose of all documents and devices that contain PHI. Remember, even dated information can cause a data breach. Burning, shredding, and pulverizing are all acceptable methods for disposing of hard copy records. Clearing, purging, and physical destruction are all safe ways to rid devices of ePHI. Place files and devices awaiting destruction in a secure receptacle and keep a device disposal log.8
8. Establish a Clear Bring Your Own Device Policy
If you decide to allow employees to use their own devices, like cell phones or laptops, to work, you must have a strict BYOD policy in place. Some measures you need to consider implementing include: allowing the IT department to configure personal devices, encrypting devices, requiring regular password changes, etc. Your IT department reserves the right to wipe devices if they are lost or stolen. Employees should consent to this before using a personal device at work.9 All of these requirements must be communicated clearly and enforced.
9. Enforce the Minimum Necessary Standard
Observe the Minimum Necessary Standard to prevent a data breach. This means different parties must have different levels of access to confidential information, and employees’ of access to PHI should be determined by their job responsibilities. No one should see more than the minimum amount of PHI needed to complete their specific tasks. In the recent Anthem Inc. breach, hackers obtained 79 million people’s PHI because the company did not establish appropriate levels of access for different parties. Once the hackers gained entry into the system, they could see all available data.10
10. Review and Update Risk Analysis Quarterly
Reviewing your risk assessment regularly is one of the best preventative measures you can take. By doing this, you consider all the possible ways in which your company could accidentally disclose PHI. This process calls attention to all the actions you need to take for maximum security. Technology is evolving, hackers are coming up with new scams, your rules are changing, and you’re hiring new employees. In order to be effective, your risk assessment must reflect the current state of your business.
All of these suggestions are excellent preventative measures, however, if you really want to avoid a data breach, the best thing you can do is allow an expert to guide you through the process of becoming HIPAA compliant. If you purchase our Total HIPAA Prime™ package, we will work with you to create a custom solution to keep your business safe.