Though most of the attacks making headlines are those aimed at large organizations or political groups, roughly a third of all data security breaches in the last few years have occurred in the health care industry. Of these, employee error caused three times as many breaches as external attacks. In addition, more than half of the businesses who experience a security breach have fewer than 1,000 employees.
The Health Insurance Portability and Accountability Act (HIPAA) requires all health care providers to take steps to protect the private information of their patients from hackers, thieves, and staff. While no data security system is foolproof, there are some best practices that can help to decrease your risk of an information breach, especially from employee error. Here are some of the best practices you should be enforcing:
- All computers should be placed where screens are not visible to patients or visitors.
- Every computer should have an encrypted password for access.
- All passwords should contain a mixture of letters, numbers, and/or symbols and should be changed regularly.
- Passwords should never be written down in any place accessible by the public. It is preferable that they not be written down at all.
- Every staff member must be fully educated about the importance of data security practices, their responsibility to follow these practices, and the potential repercussions for failing to comply.
- Office computers and internet should not be used to check personal email or visit non-work-related websites.
- Ensure all firewalls, software, and operating systems are kept up to date.
- Wireless networks should be shielded from public view.
- Every computer should have antivirus software installed and kept up to date.
- Do not access office data remotely from a shared computer or unknown WiFi network.
- Smartphones, tablets, laptops that have access to any work systems or emails should be password protected in case lost or stolen.
- All hard copies of patient data should be shredded.
- All transmitted data should be encrypted.
- Sensitive information, such as social security numbers, financial data, or other private information, should never be sent through email or instant messaging services.
- Consider purchasing cyber insurance protection.
- If a breach does occur, take appropriate action immediately. Contact your legal counsel for advice.
Your first and best defense against the theft of sensitive patient information is the integration of data security best practices into your practice policies. Meet with your team to discuss any changes you need to make and your expectations of compliance. Protect yourself, your team, and your patients by working to protect the integrity of your systems.