Manage Learn to apply best practices and optimize your operations.

Four areas to consider when shoring up your ePHI security

Healthcare organizations should be sure to include updated log management configuration and a comprehensive security framework in their ePHI security plan.

Most healthcare organizations are playing catch-up when it comes to building or updating an ePHI security plan...

to reflect today's cybersecurity risks, said David Chou, vice president and chief information and digital officer at Children's Mercy Kansas City. His own organization lacked a truly comprehensive security policy and procedures when he came on board in May 2016, when Chou began building their modern-day ePHI security program. "It's a journey," he said.

Here are four areas to consider when building your ePHI security program:

  • Update your log management configuration: Sure, your organization has a log management tool in place to comply with HIPAA, but are all web servers, devices, load balancers, firewalls, systems, proxy servers and content security appliances configured appropriately to identify everything coming into or out of your organization? To protect and secure patient data, you must know who is accessing various systems and data, and what they're doing with the information -- in real time, Chou said.
  • Implement a comprehensive security framework: A growing number of healthcare organizations, including Children's Mercy, are working toward implementing the health IT testing infrastructure developed by the National Institute of Standards and Technology. The infrastructure is designed to enable scalable, multipartner, automated, remote capability for current and future testing needs.
  • Cast a wide net when shopping for a security risk assessment tool: These tools can vary in price by tens of thousands of dollars, said Tampa-based healthcare and IT attorney Tatiana Melnik. She recalls how one vendor quoted a five-physician medical practice at $30,000, while a different vendor quoted $8,500. "The services were nearly identical," she said. "One vendor was just a bigger name. They went with the lower-priced vendor."

    And double-check whether the tool includes a vulnerability scan. "Most vendors will not include a vulnerability scan at their basic price point, but you can't perform a good vulnerability analysis without one," she said.
  • Update your incident response plan: If you're devoting more time, money and resources toward sniffing out cybersecurity weaknesses, you'll undoubtedly find what you're looking for. So be sure your plan reflects today's cyberthreats, as well as any organizational changes, Melnik advised.

    Consider that about 40% of the corporate and in-house counsel attorneys say their healthcare organization's plans are too generic, lack specific guidance for the types of incidents their organizations might face and haven't been adequately tested, according to a 2016 survey by Bloomberg Law and the American Health Lawyers Association.

    When a risk to ePHI security is uncovered, your organization should have someone in place who is qualified to determine the context, scope and magnitude of the vulnerabilities, and whether and how the organization should respond, Melnik said.  

    This was an expensive lesson learned for the University of Mississippi Medical Center. In 2016, it agreed to pay a resolution amount of $2.75 million and adopt a corrective action plan to settle multiple alleged HIPAA violations. An investigation by the Office for Civil Rights concluded that UMMC had been aware of various risks and vulnerabilities to its systems for several years, but had not engaged in any significant risk management activity until after a breach occurred.

Next Steps

Technology risk assessment eases HIPAA audit preparation

How HIPAA helps protect health information

Is HIPAA compliance sufficient protection for PHI?

This was last published in January 2017

Dig Deeper on Electronic health records security compliance

PRO+

Content

Find more PRO+ content and other member only offers, here.

Join the conversation

2 comments

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

What other areas should healthcare organizations consider to secure ePHI?
Cancel
Superb point about the biggest vendor name not always being to right choice. Small is powerful. 

I would add a fifth area: user training. Employees need to be aware of security best practices when they're handling PHI and ePHI. If not, sheer negligence could cost an organization millions.



Cancel

-ADS BY GOOGLE

SearchCompliance

SearchCIO

SearchCloudComputing

SearchMobileComputing

SearchSecurity

SearchStorage

Close