We all hear about the large data breaches pulled off against huge companies such as Target or even the IRS, but the plain and simple truth is:
You are more likely to be robbed than hacked!
According to the Department of Health and Human Services (HHS.gov) breach records, the leading causes for a major breach of patient health information (PHI) are:
The vast majority of all thefts have one thing in common: inadequate data security.
When evaluating ways to improve your data security, two key areas to assess are the security methods deployed to protect your data from Physical and Technical threats.
Understand that you are defending against the loss or theft of any device that contains PHI. Some are very simple and may be employed with little to no expense.
If your office has a break-in the most likely target will be your server. So ask yourself:
- Where is the server located?
- Is it out of sight?
- Is it behind a locked door?
- Is the server locked down?
Keep in mind, you are trying to make it harder for a common thief to locate and steal your server.
Do you transport a laptop or removable hard drive that contains any PHI out of your office?
If you carry a laptop to and from your office be aware of the following:
- Laptops are the top item stolen from cars.
- If the data on your laptop is not properly secured it is a HIPAA violation.
Suggestion: Have a virtual private network (VPN) set up to allow you to work at home with your patient files without the files ever leaving your office.
If you use removable hard drives for your backup system and take them from your office at night, be aware of the following:
- Removable hard drive backups are notoriously unreliable.
- If the data on your removable hard drive is not properly secured it is a HIPAA violation.
Suggestion: Move from a traditional backup to a Business Continuity system, which will greatly increase the reliability of your backup and eliminate the use of removable hard drives.
When defending against the possibility of theft or loss of data, encrypt any device that contains PHI and may leave the office, either intentionally or due to theft.
Not all encryptions are created equal.
There are three different levels of encryption, but only one meets the present government regulations for securing PHI and that is AES 256-bit. When you are looking for ways to secure your patient data and you are told that a device or a software program is encrypted, make sure that you ask at what level it is encrypted and for your protection, get the answer in writing.
If you have a break-in and your server or any device containing PHI is stolen and the device is encrypted at a level of AES 256 or higher, then your data is secure per present government regulations and you have not had a reportable data breach.
The above information is intended to give general guidance. It is good practice to have an assessment of your network performed to bring to light areas where you can improve your individual office’s data security.