By Ravi K. Raheja, MD
The past year and a half has redefined the healthcare industry. Not only have hospitals and practices quickly adapted to an emergency pandemic and a heavy demand for telehealth, but they’ve also seen an increase in cyberattacks. These have placed medical organizations on high alert to review their network security, as well as their patient data and the vendors who collect it.
According to a recent article in Forbes, “The number of hacking incidents reported in healthcare climbed for the fifth straight year in 2020 … [comprising] more than half of all last year’s patient data breaches—62%—up from 2019.”
Evaluating your vendors and security systems are paramount to data protection from these increased ransomware and malware attacks. But an often-overlooked part of that process is the training your staff needs on the physical safeguards they should use. If you aren’t sure what those are, here’s a good place to start.
Do you rely on flash drives or mobile devices to share and review data? Make sure to lock those up when they aren’t in use, both while you’re at work and when you leave for the day. Taking them outside of the office not only risks a breach in compliance, it also increases the chances for that equipment to be stolen, as was the case for this unencrypted laptop.
Remind staff not to use the same password for all of their devices, and don’t be like more than half of surveyed workers who write them down on sticky notes. Even if your team trusts each other, there’s always the chance that someone will take advantage of another’s access and leave them footing the bill in damages.
If they juggle a lot of passwords between different programs, have them use a password manager that stores and encrypts them online for convenient access. Some to consider include LastPass, Dashlane, Bitwarden, or 1Password, among others.
Institute keycard access for sensitive areas and avoid holding the door for tailgaters, as this defeats the purpose of this physical safeguard.
Have a lot of hard-copy paperwork? Consider housing it in a secure, offsite location. This allows you to maintain HIPAA compliance for file retention while protecting those documents from damage that an on-site fire or natural disaster could cause.
When it’s time to dispose of those hard copies, make sure to shred them first. Shredded papers won’t give thieves much to leverage, especially when they’re all mixed together.
Contracting with a document disposal service can certainly help, but keep in mind that locked trash bins still have the potential to be accessed between the time you drop a file in them and the time the disposal service arrives.
Disposal of Hardware
Getting rid of computers, mobile devices, or digital copiers? Make sure to use software that wipes all patient data from them first. Simply sending a file or folder to the trash bin doesn’t automatically delete it. And you may also find it necessary through HIPAA to destroy those media tools once they’ve been wiped.
Use multi-factor authentication to log into your user accounts and file sharing services. This reduces the chances that an outside intruder will be able to hack your credentials and gain access to more—or all—of your network.
Train everyone on your staff about these physical safeguards. Even employees who can’t review sensitive patient or company information should still be aware of corporate policies on data management and how to respond to a potential breach in security. For more on what that includes, review the FTC’s guidelines.
Ravi K. Raheja, MD is the CTO and medical director of the TriageLogic Group. Founded in 2007, TriageLogic is a URAC accredited, physician-led provider of high-quality telehealth services, remote patient monitoring, nurse triage, triage education, and software for telephone medicine. Contact them if you need help with telehealth nurse triage, telehealth appointment-setting, or nurses to manage data for remote patient monitoring.