Earlier this week, Franklin, Tenn.-based Community Health Systems, notified some 4.5 million of its patients that their personal information had been stolen by cybercriminals. Fittingly, this week The Office of the National Coordinator (ONC) for Health Information Technology posted information on how to keep your health information private and secure.
In this post we review some of their health information protection tips for patients as well as some of our tips for health systems.
HIPAA and Your Health Information
At the beginning of the ONC document, they cover the extent of Health Insurance Portability and Accountability Act’s (HIPAA) protection of patient health information.
“These are federal laws that set national standards for protecting the privacy and security of health information. Health information that is kept by health care providers, health plans and organizations acting on their behalf is protected by these federal laws.”
Examples of health information not protected by HIPAA is information that you as a patient:
- Store in a mobile app or device
- Share over social media websites or online communities
- Store in a personal health record (PHR) that is not offered through a health provider or health plan covered by HIPAA.
Tips for Keeping Your Health Information Secure
- Create a strong password. Include numbers and characters where allowed.
- Don’t login on a public computer with your password.
- Don’t share your password.
- Social Media
- Be cautious what you post on the Internet. Do not assume that it is private, secure or temporary.
- If you decide to post health information on social media, make sure your privacy settings reflect who you want to have access to it.
- Mobile Devices
- Before you download an app, make sure it is from a trusted source and know app website.
- Consider installing or using encryption software for your device.
- Install and activate remote wiping and/or remote disabling on your mobile devices in case they are lost or stolen.
Tips for Health Systems to Protect Health Information
Health systems can also implement tactics to further protect patient information. These tactics include performing penetration testing and a Security Risk Assessment (SRA).
Network Penetration Testing
Penetration testing services help locate potential security vulnerabilities in an organization’s network. To properly protect patient information, the network has to be protected first.
Penetration testing uses ethical hacking strategies to test network devices such as firewalls, routers, switches, servers, workstations and printers. The tests help identify and locate vulnerabilities, categorizing them by severity and providing detailed reports with standard vulnerability assessment procedures. Identifying and reporting security vulnerabilities allows you to remedy any identified issues.
Security Risk Assessments (SRAs)
SRAs are an assessment of the potential risks and vulnerabilities to the health information that a health system holds. The protected health information (PHI) is inventoried and the risk analysis determines the PHI that is created, stored, maintained or transmitted by an organization. This list is then mapped to the relevant software application used for this purpose and the impact loss of use or the loss of PHI data would have if these applications were unavailable is evaluated.
The SRA then compares how critical the PHI is and its applications with the threats that exist. Threats are derived based upon prior experience at your facility, and a reasonable analysis of general, natural and man-made threats. Finally, using all this information, the assessment evaluates existing controls and safeguards to establish the gaps or risks and puts them into a matrix for the development of a response plan.
This post illustrates there is an important distinction between how a patient treats their personal information and the obligation a healthcare organization assumes under HIPAA. Targeted attacks to gain Protected Health Information (PHI) are on the rise in healthcare. On Wednesday, the FBI issued a FLASH alert to health care organizations that hackers are targeting healthcare organizations.
Start Protecting Now
Download our ethical hacking webinar to learn how hackers access and steal personal health information.
If you are interested in performing penetration testing or an SRA, request a consultation to get more information and assess your current security status.
Breach alert: Hackers swipe data of 4.5M – Healthcare IT News
How to Keep Your Health Information Private and Secure – ONC for HIT