How Complex HIPAA Has Become in an Age of Remote Work and Mobile and Personal Devices
Covid-19 has brought many radical changes to the way hospitals and healthcare organisations work during 2020. Non-clinical employees and contractors with quality Internet connections at home were given approved devices and some quick training and off they went blazing into a new work from home (WFH) trend. Initially, most thought that this was temporary, but now all of this has changed. It is now clear that Covid-19 is not going away anytime soon as the whole world keeps experiencing new variants. Organisations have realised that they can reduce costs on real estate and expensive of office space. Employees can eliminate commutes and have more personal and family time. Not surprisingly productivity has increased with this new way of working. Progressive healthcare organisations are not going to go back to the old ways.
Maintaining HIPAA compliance and data security breaches are top of mind concerns of most Chief Information Officers. With all these employees working from home there is a potential risk for HIPAA violations. Protected health information (PHI), includes any patient related health data and as such it is protected under HIPAA, to ensure that it remains private.
Employees new to work from home/remote work need a refresher training on HIPAA compliance since so much new technology is based in the home and no longer centralised in the office. Employees also need security software such as firewalls, antivirus, antimalware, virtual private network (VPN) for their home-based technology needs. In order to remain HIPAA compliant, employees also need training about reporting data breaches.
Here are some steps that hospitals and healthcare organisations should take to ensure HIPAA compliance:
HIPAA training programmes to educate employees for a work from home environment
Monitoring hardware and software to ensure that encryption is always used
Educating patients with HIPAA compliance methods used buy work from home employees
Providing hardware and software for work only use, and making sure the configurations are approved by the information technology department
Requiring the use of a VPN—a virtual private network—which encrypts all data when remotely accessing a healthcare network from home
Since work from home is so new many health care organisations may find that hiring a Managed Service Provider (MSP) might be able to assist them with all the complexity. Many MSP's provide remote monitoring and management (RMM) services which can make sure that employees are following the training that they received and properly using hardware and software in this new environment.
The following are some good policies and procedures that IT departments should implement and enforce to keep their organisations HIPAA compliant:
Encrypting passwords and requiring strong passwords or better yet mandate two factor authentication (2FA)
Requiring the installing a special screens on your device to ensure privacy
Restricting device usage to only employees and excluding family members from access
Requiring the shredding paper documents with PHI
Prohibiting the posting of work-related information on social media
Providing employees with devices that automatically encrypt PHI before sending emails
HIPAA-Compliant Cell Phones, Mobile Phones, Smart Phones
There are no specific HIPAA rules for mobile devices. HIPAA rules pertain only to the PHI data that may be stored on the cell phones, mobile phone and smart phones. It is especially important to have HIPAA policies and procedures that keep track of all these devices. It is also important to ensure that all devices that can access a network with PHI are known by the organisation and are given access only after proper credentialing of the employees/contractors and devices. Programs that can remotely erase all data from these devices be installed on each phone to protect the data in the event that those devices are lost or stolen.
HIPAA-Compliant Computers, Laptops and Workstations
Now much of the healthcare world is working remotely and using mostly laptops. An organisation should make sure employees use Virtual Private Networks (VPN) to access the corporate network where there is PHI. There should also be two-factor authentication used as well with hardware-based tokens with one-time passwords such as Yubico Yubikeys. Two-factor authentication using text messages from cell phones are better than nothing, but cell phones can be easily compromised with SIM swapping hacks.
HIPAA-Compliant External Hard Drives
In today's work from home (WFH) environment, employees and contractors in hospitals and healthcare organisations may have access to PHI that is subject to HIPAA compliance. They may accidently back-up their laptop to an external hard drive or to the cloud that they are using for personal home use without remembering that they must maintain HIPAA compliance. The best way to avoid this is to provide employees and contractors with standard laptops that have special software to protect against viruses and malware and also have back-up function so daily automated back-ups are made to the organisation's servers. The laptops should also be configured to not allow download and install of non-approved programs.
Precautions and Best Practises for HIPAA-Compliant Mobile Devices Security and Connecting to a Healthcare Network
How recently has your organisation performed a mobility security risk assessment including cell and mobile phones and smart phones?
When where these policies were revised?
Risks are constantly changing so stay on top of the latest risks with subscriptions to your IT vendor's support organisations.
Continuously conduct Risk assessments to ensure continued protection and compliance with HIPAA regulations.
Regular Staff Training
Employees and Contractors are always the weakest link in keeping data secure especially when they work remotely with cell phones, tablets and laptops.
Employee negligence is the leading cause of healthcare data breaches.
Regular training sessions should be provided on data privacy, security, and the latest threats.
Cultivate a "Risk-Aware" culture.
For most companies' data is the most valued asset.
Build capabilities to track activity should your organisation be subject to a security breach.
Watermarking your data which is accomplished by embedding information in your data carrier which cannot easily be noticed could make for quicker and easier forensic analyses after a cybersecurity attack.
Information Access Controls
All devices allowed to access the network should be documented.
Establish a standard where mobile devices are certified and only those are allowed to access the network.
Access to sensitive data such as PHI can be blocked, and certain data can be prevented from being downloaded to individual devices.
Establish security policies with BYOD devices and create easy deletion of protected PHI data without erasing employee personal information.
Data encryption at rest is not currently mandatory under HIPAA Rules, but offers excellent protection against data breaches and HIPAA fines.
Implement data encryption on all mobile devices without any exception.
If a device is lost, there will not be a data breach.
Secure Text Messages
If non-secure SMS messages are banned, are the rules always followed?
Unencrypted text messages containing PHI violate HIPAA and can result in significant fines.
Since texting is popular capitalise on the benefits and prevent breaches by providing a secure text messaging app.
When PHI can be sent securely via text, healthcare staff and patients benefit from faster communication, lower costs and improved patient outcomes.
Remote Data Erasure
Small portable devices can be easily lost or stolen so organisations should plan for this.
Devices used to store, transmit, or access healthcare data should be centrally controlled.
Systems allowing data to be remotely deleted can rendered devices useless even if never recovered.
Secure Password Policy
Weak passwords should not be allowed. Even reasonably strong passwords can be cracked with common hacker tools.
Strong password policies should be maintained on password length, valid characters, and expiration date as well as well as two factor authentication.
Employee and contractor training it critical to highlight the importance of being vigilant for security risks and social hacking to access passwords. Never allow anybody to access passwords; they should always be encrypted.
Used automated tools for password resets.
Public Wi-Fi Network Access
Mobile devices with PHI should never be connected to public Wi-Fi hotspots as they are particularly risky with hackers waiting.
If healthcare workers can use their devices to access data remotely, they must be informed of the risks of public Wi-Fi and how to access/communicate data securely.
Remote access VPNs should be used to access data via public networks, or a secure text message should be used to ensure privacy.
Control of App Usage
The use of unregulated mobile apps is a major security risk.
Many apps contain numerous security flaws that can be exploited by hackers.
Only permit apps that have been certified as having the necessary security controls, and ensure those apps are kept up to date with security updates.
Annual compliance assessments with company policies on mobile device security should be standard operating procedures.
Device Security Scanning
All mobiles devices should be scanned for viruses, malware and other malicious code before any network assess is allowed.
Ensure anti-virus software is installed on all mobile devices, and perform regular security scans on random devices to check for malware.
A standard operating practise for managing employee off boarding should be that all mobile devices are erased and data access rights terminated immediately.
A mobile device requires maintenance and regular software updates.
The timeliness of applying patches and new anti-virus and antimalware definitions is critical.
A system must be put in place to automate the updating of devices, to ensure device security is maintained at all times.
Just one unpatched device could be exploited and used to access a network and healthcare information.