Data Breach: 10 Ways to Prevent This Potential Nightmare
October 30, 2018
This month, we devoted multiple blog posts to covering major HIPAA violations and their penalties. Today’s post will explain the most common causes of breaches and the easiest ways to prevent them. PHI breaches are unique in that more violations of privacy are caused by internal actors than external factors1. This means the majority of breaches occur because employees inadvertently leak PHI. In 2017, researchers at Beazley Group found that 41% of breaches are caused by unintended disclosure. This is often a result of employees sending PHI through unsecured channels, like unencrypted email or texting. According to the same study, 19% of all breaches are due to hacking and malware incident2. Here are ten preventative measures you can take to protect your business:
1. Encrypt All Emails Containing PHI
HIPAA law mandates that you protect PHI you come into contact with at rest, in storage, and in transit. An employee can cause a breach by accidentally sending a message containing PHI to the wrong address. However, encrypting emails prevents unintended recipients from being able to open the message and access the PHI it contains3. You can read about our recommended email encryption vendors here.
2. Always Have a Signed BAA/BSA
If you use any third-party vendors that may come into contact with PHI, you must have a signed Business Associate or Business Associate Subcontractor Agreement. If a business associate or one of their subcontractors compromises protected information and you do not have a signed agreement, you can be held liable for their mistake. Having a signed agreement protects you from facing the consequences of their mistakes. Examples of business associates and business associate contractors include: accountants, attorneys, IT vendors, email encryption providers, and shredding companies4.
3. Do Not Use Texting to Transmit PHI
Though it is convenient, texting is not a secure way to send confidential information. Protecting PHI in this medium is almost impossible. Accidentally sending information to the wrong recipient is very easy to do, and you cannot encrypt text messages like emails. It may seem like text messages travel directly from one mobile device to another, but the message actually moves through several points in transmission, and it can be intercepted anywhere along the way. It is simply too risky and should be avoided altogether5.
4. Train Employees to Recognize Phishing Scams
Employees need to understand what phishing is to avoid accidentally giving hackers information they need to access your secure databases. Phishing emails often look like legitimate messages asking for login credentials. Employees should report emails asking for their information and avoid clicking on any links from mysterious senders6. An annual study conducted by MediaPro found that 18% of survey participants clicked on links from unknown senders. Additionally, the 2018 results showed an increase in the number of employees who answered questions about phishing incorrectly, up from 8% to 14% compared to the previous year7.
5. Use Firewalls and Antivirus Software
Using firewalls and antivirus software is also an effective way to prevent ransomware and brute force attacks. Your software must be updated regularly because hackers are always developing new scamming methods. There is no one method that can protect against these kinds of attacks, so these strategies should be used in unison6.
6. Review Cybersecurity Policies with Staff on a Regular Basis
Simply documenting your cybersecurity policies is not enough. Your staff must always be up to date on the rules and regulations you have put in place to keep the company safe. If an employee does not know the rules, they may inadvertently break them.
7. Dispose of Records and Devices securely
Paper records and the following devices have the potential to cause a breach if the PHI is not properly destroyed or removed: laptops, desktops, smartphones, printer, copiers, USB (thumb) drives, and servers. Disposing of documents and devices that contain PHI, even if the information is dated, is essential to protecting your company from a breach. Burning, shredding, and pulverizing are all acceptable methods for disposing of hard copy records. Clearing, purging, and physical destruction are all safe ways to rid devices of ePHI. While files or devices await destruction, they must be logged and kept in a secure receptacle8.
8. Establish a Clear Bring Your Own Device Policy
If you decide to allow employees to use their own devices, like cell phones or laptops, to work, you must have a strict BYOD policy in place. Some measures you need to consider implementing include: allowing the IT department to configure personal devices, encrypting devices, requiring regular password changes, etc. Additionally, employees must consent to have their devices wiped if they are lost or stolen9. All of these requirements must be communicated clearly and enforced.
9. Enforce the Minimum Necessary Standard
Different parties must have different levels of access to confidential information, and employees’ of access to PHI should be determined by their job responsibilities. This means that no one should see more than the bare minimum amount of PHI needed to complete their specific tasks. This is called the Minimum Necessary standard. In the recent Anthem Inc. breach, hackers were able to access 79 million people’s PHI because the company did not establish appropriate levels of access for different parties. Once the hackers gained entry into the system, they could see all available data10.
10. Review and Update Risk Analysis Quarterly
Reviewing your risk assessment regularly is one of the best preventative measures you can take. By doing this, you consider all the possible ways in which your company could accidentally disclose PHI. This process calls attention to all the actions you need to take for maximum security. Technology is evolving, hackers are coming up with new scams, your rules are changing, and you’re hiring new employees. In order to be effective, your risk assessment must reflect the current state of your business.
All of these suggestions are excellent preventative measures, however, if you really want to avoid a breach, the best thing you can do is allow an expert to guide you through the process of becoming HIPAA compliant. If you purchase our Total HIPAA Prime™ package, we will work with you to create a custom solution to keep your business safe.