Protected Health Information: A Cybersecurity Perspective
October 29, 2020
Cyber Security | HIPAA
If your organization has HIPAA obligations -- either as a Covered Entity or a Business Associate -- you've probably heard the term Protected Health Information. Often referred to as PHI amongst industry insiders, understanding this term is crucial to standing up a strong cybersecurity perimeter to honor your HIPAA obligations. Although your HIPAA obligations are a mix of privacy and security obligations (and beyond), here we'll talk mostly about security of three particular types of information that are definitely a part of the patient records covered by HIPAA.
Guarding Your Protected Health Information
If you are a Covered Entity, there is a very good chance that you have patient Contact Information, Medical Information, and Payment Information floating around in your systems somewhere. Hopefully in a very centralized, well organized system. You are obligated to make sure that no unauthorized person is able to see, use, or decipher any contact information that is Protected Health Information. Think about the places that you store this type of information. Do you have patient information in your EHR system? In your accounting system? In your billing system? In other files that contain correspondence with your patients?
All of that needs to be guarded against unauthorized people being able to see, use, or decipher the information. Some of the things you should consider as part of your cybersecurity posture to fulfill your HIPAA obligations, are:
- Authentication: any computer, device, or account that contains medical records, should require a user to authenticate (username / password or other authentication system). To be more specific, you'll want to make sure that each person that accesses any of those resources has their own distinct credentials, so that you can be sure that only the people who are authorized to access those records, have access. Advanced reading: a concept called "minimum necessary" sets the stage for the concept that any person should only have access to the minimum amount of information necessary to do their job.
- Encryption at Rest: suppose that someone gains physical access to a computer or device that has PHI on it. Suppose that person is able to remove the hard drive (or other storage mechanism) take it to another computer, and read information off of it. That would violate HIPAA in a number ways, and is the most basic example of why Encryption at Rest (for example, bitlocker) is essential to protecting PHI.
- Encryption in Transit: what if there are images or documents that are being relayed to/from various employees or other stakeholders? There are HIPAA safe ways to do this, and HIPAA unsafe ways to do this, and one of the biggest dividing lines is the question of whether the information is encrypted in-transit. A good example of meeting this standard is using an encrypted email program that forces the recipient to authenticate, and then relays the document/image via an encrypted connection, upon successful authentication.
There are other factors that you should consider for Protected Health Information, but the above three items are what we consider to be the most essential starting point. It's hard to imagine a credible PHI strategy that does not incorporate the above three items, at a minimum.
Investigations & Audits
The Office of Civil Rights has the ability to investigate Covered Entities and Business Associates. They can do this in response to a complaint received from a patient, employee, or other whistleblower -- or they can do this as part of a broader auditing effort that doesn't relate to a complaint. Although we don't imagine that many Covered Entities or Business Associates look forward to the possibility of an investigation, you'll sleep better if you take a few simple steps to ensure that you are well equipped to respond to an investigation or audit if one ever occurs. Some of these steps, are:
- Policies: your employees need to be informed about their obligations with regard to handling Protected Health Information. Many organizations make their employees aware of policies via initial onboarding discussions, mentoring/coaching, and performance review discussions. However, there is no substitute for an audit trail that demonstrates that every employee has been presented with security and privacy policies, reviewed them, and acknowledged them.
- Training: if there is one thing that you can do to encourage well-intentioned employees to comply with HIPAA, it's to provide approachable training sessions that make the complex topic of HIPAA easier to relate to. By providing recurring training to all employees, you'll empower your employees to better understand their obligations and how to comply to them.
- Proof: if an investigation or audit occurs, wouldn't it be nice to be able to supply formal evidence that all of your storage systems are encrypted, that everyone has completed HIPAA training, and that your processes are designed to comply to HIPAA? Thinking about the audit trail that your processes leave behind, is a great step to reduce the stress that an investigation might otherwise cause.
In brief, although no one looks forward to scrutiny of their HIPAA processes, the above steps can make the process as low-stress as possible.
Specific Advice
Want to talk about your unique situation with regard to HIPAA? Havoc Shield is standing by to help. We can make it easy to get everyone in your organization trained (as soon as today), we can orchestrate encryption at rest and in transit, manage the workflow around rolling out policies and receiving acknowledgements, and more. If any of the above topics make you concerned that you may not be doing everything you need to for HIPAA, please be in touch so that we can discuss your unique circumstances.