12 Tips for Protecting PHI

Protected Health Information (PHI) is any data that is handled by a health care service provider, whether a Covered Entity (CE) or Business Associate (BA), that relates to the physical or mental health of an individual in some way.

Any US organization that handles PHI is required to comply with HIPAA (Health Insurance Portability and Accountability Act of 1996). Below are some tips to help organizations achieve compliance with HIPAA and ensure that their PHI is secure.

1. Carry out a HIPAA Assessment

Doing so will help organizations understand their current security posture and provide insight into what they can do to improve it. They will also need to carry out regular security audits to monitor the effectiveness of their security strategy.

2. Appoint Privacy and Security Officers

Organizations will need to appoint one or more security personnel to ensure that the organization is following the HIPAA guidelines, and to ensure that staff members are trained to a sufficient level.

3. Sign a BAA (Business Associate Agreement)

Healthcare organizations and any third-parties that have access to PHI will need to sign a BAA (Business Associate Agreement), which states how PHI can be stored, processed and transported.

4. Password Protect All Devices

Any devices that have access to PHI must be password protected. Each user should have their own set of credentials, and they will need to be reset at least twice a year.

5. Use Two-Factor Authentication

Any cloud-based solutions, such as EMR (Electronic Medical Record) solutions and communication/chat applications, should use 2FA for added security. In addition to a simple username and password, the user will be required to enter a code, provide a fingerprint scan, or anything else which can strengthen the authentication process.

6. Secure Your Physical Assets

While this may seem obvious, some smaller service providers have been known to overlook physical security procedures. Only authorized personnel should be allowed to enter the server room. Use security cameras, alarm systems and electronic door access to protect all physical assets which may contain PHI.

7. Implement a Breach Notification Plan

Should a service provider fall victim to a data breach, HIPAA requires that they notify those who were affected within 60 days. Service providers will need a documented set of procedures to follow in the event of a breach.

8. Restrict access to PHI

Organizations need to ensure that access to the PHI is limited to those who need it. A common method for restricting access to sensitive data is Role-Based Access Control (RBAC), whereby access is restricted based on roles as opposed to individuals.

9. Audit Changes to Access Controls

Should an attacker or malicious insider gain unauthorized access to a privileged account, they may seek to elevate their privileges in order to gain further access. Organizations will need to monitor these privileges and receive real-time alerts when they change. There are a number of data security solutions which can detect, alert, report and respond to changes made to privileged accounts, as well as any files, folders and mailbox accounts, that contain PHI.

10. Encrypt PHI Both at Rest and in Transit

Any data stored on portable drives, mobile phones and laptops will need to be encrypted in order to protect the data, should the device fall into the wrong hands. Likewise, PHI sent in emails will need to be encrypted.

11. Securely Dispose of Old Equipment

Any equipment that contains sensitive data will need to be destroyed, and the process will need to be documented.

12. Tighten up Perimeter Security

Ensure that firewalls are well configured. If you don’t have a firewall, you can use a Firewall-as-a-Service or go a step further and implement an Intrusion Detection Prevention System (IPDS).