Using Cybersecurity to Protect PHI

Safeguard ePHI Cybersecurity Protect PHI Protected Health Information
Using Cybersecurity to Protect PHI

Risk From Many Sources

HIPAA Technical Safeguards protect PHI and are a major part of any HIPAA Security program. Using cybersecurity to protect EPHI is a key feature of HIPAA.  Technical safeguards are key protections that help to maintain the safety of EPHI as the internet changes.   One of the greatest challenges of healthcare organizations face is that of protecting electronic protected health information (EPHI).   This includes protection of electronic health records, from various internal and external risks. To best reduce risks to EPHI, covered entities must implement technical safeguards. 

An organization may face multiple challenges as it attempts to protect EPHI.  These issues must all be considered as they may originate from inside or outside the organization.  It is important for any organization to perform a full risk analysis to protect the organization from such a variety of threats.  We present several examples of cyberthreats in healthcare you must be ready to address.  This will help you as you develop your Security Program

Cyberthreats From Outside Sources

In today’s environment many new potential targets will develop from bad actors.  We must be prepared to handle the security threats of tomorrow.

Cybersecurity is the art of protecting networks, devices and data from unauthorized access or criminal use and the practice of ensuring confidentiality, integrity, and availability of information.  There are many risks, and these come in various forms.  Among these are malware erasing your entire system, a cyber-attacker breaching your system and altering files, a cyber-hijacker using your computer to attack others, or an attacker stealing or freezing your data in return for money. There is no guarantee that even with the best precautions you will prevent this, but there are steps you can take to minimize the chances.

Using cybersecurity to protect PHI is a key feature of HIPAA.  Electronic protected health care information or EPHI is at increased risk from many sources:

  • Foreign hackers looking for data to sell – usually on the dark web
  • Ransomware attacks that lock up data until a ransom payment is received
  • Phishing schemes that lure the user into clicking a link or opening an attachment to deploy malicious software; and
  • Spear phishing –a targeted attack on a specific person that appears to come from a legitimate source usually instructing a transfer of funds.
  • The internet of Things or IoT will allow the interconnection of devices as a means for virus or malware to enter our systems.

What You Can Do

In order to safeguard EPHI against threats:

  • First, know how to spot phishing emails.
  • Learn how to use strong passwords, two factor authentication and encryption.
  • Finally, have policies, procedures and safeguards in place to protect EPHI and Know who to report an incident to in your organization.

Prepare for Cyberattacks

In the case of a cyberattack or similar emergency an entity must:

  • Execute its response and mitigation procedures and contingency plans.
  • Report the time to other law enforcement agencies.
  • Should report all cyber threat indicators to federal and information-sharing and analysis organizations.
  • Finally, it must report the breach to Office for Civil Rights (OCR) as soon as possible, but not later than 60 days after the discovery of a breach affecting 500 or more individuals.

The OCR considers all mitigation efforts taken by the entity during any breach investigation.  For instance, such efforts include voluntary sharing of breach-related information with the appropriate agencies.  Remember in the event of a cyberattack it is critical to comply with breach reporting requirements.

Texting Protected Health Information

When we talk about texting there are two different types of texting we must consider.  Each of these acts differently and serve very different needs.   The first type is what we usually perform using our phone and carrier and is also known as Short Message Service (SMS). This is the default app on our phone that many people use to send and receive texts every day. It is not secure. The second type is app based and is used by healthcare providers (mostly doctors and nurses) to communicate to one another on patient-related care. It can also be used by providers to communicate with patients and is secure. 

To be compliant secure texting needs to meet certain technical standards for HIPAA compliance:

  • Encryption of message data in transit and at rest
  • Reporting/auditability of message content
  • Passcode enforcement
  • Authentication
  • Permissions management capabilities

If safeguards like these are in place, PHI can be sent with a minimum of risk. 

Because SMS is an unencrypted channel one might presume an entity cannot send PHI. This is actually not true because encryption is not mandated according to the Security Rules. Healthcare organizations must determine whether encryption is reasonable and an appropriate safeguard, in protecting PHI. It is possible to use alternative safeguards If encryption is not deemed reasonable and appropriate by the covered.

Recent Clarification from OCR

At a recent conference at the HIMSS health IT conference in Las Vegas on March 6, Roger Severino, director of the OCR said that healthcare providers may share PHI with patients through standard (SMS) text messages. 

Providers must do the following:

  • Warn their patients that texting is not secure
  • Gain the patients’ authorization
  • Document the patients’ consent

Presently these represent comments and have yet to enter into policy.   The OCR has long-promised guidance on this topic and it is reasonable to assume a ruling on the topic is imminent.

Patient Orders

In December 2017, the Joint Commission issued a clarification explicitly stating the use of Secure Texting for patient orders is prohibited.  Providers should opt for the use of Computerized Provider Order Entry (CPOE) as the preferred method of order entry. CMS insists that a physician or Licensed Independent Practitioner (LIP) should enter orders into the medical record via a handwritten order or via CPOE.  When using this system, orders are immediately downloaded into the provider’s electronic health records (EHR). Moreover, this method is preferred as the order would be dated, timed, authenticated and promptly placed in the medical record.

Finally, using cybersecurity to protect PHI remains the cornerstone to protecting all ePHI which all organizations should address in today’s healthcare climate.