Preventing security breaches in healthcare

By Monica McCormack, Marketing Content Manager, Compliancy Group

The healthcare industry is particularly vulnerable to breaches due to the sensitive information that they handle on a regular basis.

In March alone, there were 39 healthcare breaches, affecting 1.5 million patients. This is why preventing security breaches in healthcare should be a top priority for any business working in the healthcare space.

The following article discusses the most common reasons behind healthcare breaches, and how to prevent them.

Preventing security breaches in healthcare: how to prevent vendor breaches

Vendor breaches occur when protected health information (PHI) managed by a covered entity’s business associate is accessed by unauthorized individuals. The best way to prevent this from occurring is by vetting vendors.

Covered entities have an obligation under HIPAA to ensure that the PHI business associates create, maintain, transmit, or store on their behalf is secure. This can be accomplished by sending business associates vendor questionnaires.

A vendor questionnaire assesses the administrative, physical, and technical safeguards that the business associate has in place securing PHI.

In addition, before sharing PHI with a vendor, there must be a signed business associate agreement (BAA). A business associate agreement is a legal document that mandates the safeguards that the business associate must have in place.

A BAA also dictates that each signing party is responsible for their own HIPAA compliance, and which part is responsible for reporting a breach should one occur.

Lastly, a BAA limits the liability for both signing parties. Without a BAA and adequate vendor vetting, both parties would be held responsible for a breach and subject to costly HIPAA fines.

Preventing security breaches in healthcare: how to prevent insider breaches

Insider breaches occur when an employee within an organization, who is generally authorized to access PHI, does so without cause.

According to the HIPAA minimum necessary standard, employees should only access PHI for a specific job function.

To ensure that employees adhere to the minimum necessary standard organizations should implement the following:

• Policies and procedures. Dictate the proper uses and disclosures of PHI. Policies and procedures ensure that there are clear guidelines on when it is permitted to access PHI, and to whom PHI is permitted to be disclosed.
• Employee training. To ensure that employees understand an organization’s policies and procedures, as well as HIPAA standards, employees are required to be trained annually. Training must be documented and must enable employees to legally attest that they have read and understood the training material.
• Access controls. Provide different levels of access to PHI based on an employee’s job function.
• Audit logs. Track access to PHI to ensure that access is in accordance with the minimum necessary standard. Each employee must have unique login credentials to enable tracking.

Preventing security breaches in healthcare: how to prevent email breaches

Hackers have become increasingly sophisticated in their attempts to target employees with phishing emails, disguising themselves as trusted individuals to prompt employees to click on a malicious link.

The following are indicators that an email is a phishing scam:

• Emails requesting personal information. Legitimate companies never send emails asking for passwords, credit card information, or social security numbers. Emails requesting sensitive information are not legitimate.
• Emails using generic greetings. Emails from legitimate organizations will address recipients by name. Hackers generally address recipients with generic greetings such as “Dear valued customer” or they lack a greeting.
• Sender’s email address domain differs from the company name. Before opening an email from an unknown entity, it is always a good idea to check the sender’s email address to ensure it is from a legitimate company. Legitimate companies generally have domain emails appearing as name@companyname.com. Recipients can check email addresses before opening an email by hovering over the “from” address and carefully checking the domain name.
• The email is written poorly. Many phishing emails contain grammatical or spelling mistakes.
• The email forces you to a website. Phishing emails often contain malicious links. In some cases, they are designed so that anywhere a recipient clicks, will direct them to a malicious site. A legitimate company will not force you to their website; if an email contains no text with only a “click here” button, it is a malicious email. 
• The email contains an unsolicited attachment. Legitimate businesses only send attachments upon request. Attachments ending in .exe, .scr, and .zip are considered high-risk attachments, and are likely phishing attempts.
• Links don’t match legitimate URLs. Before clicking on any links, recipients should hover over the link to ensure that the link will take them where it says it will. If the link differs from the text, or doesn’t match the context of the email, it is a phishing attempt.

Paubox Email Suite Plus stops phishing emails from reaching the inbox

Paubox Email Suite Plus stops phishing emails from reaching employees' inboxes in the first place. This robust spam filter quickly uses hundreds of checks on each incoming email to protect you against malicious attacks. It immediately identifies and quarantines attacks, never letting them get to the inbox.

About Compliancy Group

Compliancy Group gives healthcare professionals confidence in their HIPAA compliance with The Guard®. The Guard is a total HIPAA compliance solution, built by former auditors to help simplify compliance.