Beyond HIPAA: Other Cybersecurity considerations that health care providers/business associates/suppliers need to be cognizant of (HIPAA series #5)

Introduction

When we talk about healthcare and cybersecurity, many of us assume the conversation will be about just securing the protected health information of our patients, but is that all there is? Simply put, no. While healthcare is predominantly concerned with the care of the patient and the protection of their PHI, there is a larger conversation to be had as well.

While it is true that one of the primary concerns we should have is about the PHI of our patients, it is also important to protect other types of information, as well as the physical well-being of our organization and its suppliers, visitors, and business associates.

Some of these other concerns should be:

Personal credit information (PCI) – if your organization collects payment information from your clients, or records related to their finances, then this is another area of concern.
Physical security of our patients and workers – maintaining a separation between clients in order to protect their information and persons during conversations or interactions with your employees.
Ensuring your business associates and suppliers are as conscientious and invested in security as your organization is.

What are some of the areas we should consider?

One of the most important ways to protect not only our patients, but our business, is to secure the PCI that we are provided by them or those caring for their finances. PCI can be account information for financial institutions, insurance details, wills and living-wills related to health care that may contain financial information, relationships to non-profits that are assisting in the payment of debts, etc. Perhaps a family member is paying for the care of the person in question, or they are connected to a foundation, such as the Cystic Fibrosis Foundation. This information may not seem problematic if connected to a patient, but it can lead to fraud and theft of services if not protected.

Another part of cybersecurity is protecting the physical presence of your clients and their information. Perhaps your practice retains paper copies of patient data, or billing information. Where your patients rest while waiting for a doctor to see them is also of concern, though it might be hard to see why. First, their physical safety is important, of course, but above that is the fact that social engineers could take advantage of a packed waiting room to obtain information that could later be used to commit fraud or deny a patient access to their care by causing problems with using their insurance or other methods of payment.

Patients are not the only persons affected by these threats either. Your employees, suppliers, business associates, and anyone visiting your physical locations are all potential targets for threatening activity.

As sources of information important to your organization, all of the above should be part of any cybersecurity plans and implementations. Without that information, it is hard, if not impossible, to accomplish your work. Beyond that, an actualized threat can become an ongoing issue for your organization’s public image.

What can you do to mitigate threats in these areas of concern?

The work you do before, during, and after beginning your practice or opening an organization to business when it comes to cybersecurity is necessary to the continued success of that effort. Digital connections within and without your organization will determine your ability to conduct that business, protect it, and grow.

When dealing with any information, think of it in stages of maturity. You create the information (initial gathering), use it, expand on it (growth), store it, and at some point you will need to end (destroy) your connection to it. So, let’s take a look at what you might need to do in each stage:

Creation: ensure that your gathering practices are meeting minimum requirements for protection of the process, and those you obtain it from. Take the time to look at how you will gather it (via document filling, or direct interviews), and what information you actually need to accomplish your work.
Use: the information you have gathered will be used by workers to accomplish their duties. Make sure only those personnel that need a bit of information have access to it, and no others. Secure the work area from onlookers and unauthorized download/printing.
Expansion: the information you have may not be all the information you will need, so be sure that you (again) collect only that information that is necessary, and that you protect it moving forward.
Storage: you cannot possibly collect and use the same information every time you interact with your clients, so storage is going to be important. Store information in use locally, but only until it is no longer immediately needed. Then move it, as necessary, to ‘permanent storage’ until it is no longer required.
Destruction: at some point, the data you have collected will no longer be required. Protect yourself and your clients by implementing policies and procedures that address how long this data resides on active and inactive systems/storage. This may/is likely to be related to legal and statutory requirements, so be sure to employ legal advisors that know and understand the laws related to cybersecurity.

Applying a thoughtful and well-planned cybersecurity program to your organization’s needs will help to create a strong and resilient base upon which to build on in the future. Your clients, employees, and associates will have greater faith and confidence in your work and your desire to protect them.

Northstarr Recommendations

Information technology governance and cybersecurity can seem an insurmountable obstacle to many, but with the assistance of Northstarr’s expert IT and cybersecurity professionals, it can become a great deal easier for you to get back to meeting your clients’ needs and expectations. Close the gaps by requesting a free cybersecurity assessment from our team, or call (888) 767 2210 to set up an appointment.