Tips for Securing Healthcare Data

by Sarah Harvey / March 3rd, 2015

It’s one thing to suffer one data breach – there is room to recover. Will Anthem survive a second breach? Don’t let this happen to you. With the Anthem breach still on the forefront of everyone’s minds, as well as the upcoming supervision from the OCR and the new phase of HIPAA audits, we have put together some tips to help get you thinking about what you can do now to better secure your healthcare data.

  1. Control PHI Workflow – Do you know where your healthcare data is? Do you have proper permissions in place to control access to your data? Is it encrypted? Healthcare data should always be encrypted when being stored or transmitted to protect sensitive data from falling into the wrong hands or being compromised. Your organization needs to know where your data lives, where it travels, and how it travels – at all times.
  2. Strong Passwords – This seems like a no-brainer, however, it’s easy to get caught in the convenience of a weak password, or the same password for multiple uses. The longer the password, the better. Strong passwords should be at least 8 characters long, with variations on capitalization, numbers, and punctuation. Two-factor identification is an even stronger way to ensure that only the people who are allowed access, have access.
  3. Vendor Management – HIPAA laws mandate that you have done your due diligence to ensure that not only are you HIPAA compliant, but your vendors who also have access to your PHI are compliant. A signed Business Associates Agreement isn’t acceptable. You can no longer outsource this risk, you must manage it. This means vendor management must be a priority when considering the safety and security of the PHI for which you are responsible. Do you know who your vendors are? Do you have documentation showing you’ve reviewed that they are compliant with industry regulations? These are questions we must know the answers to.
  4. Policies and Procedures – Are you aware of the policies and procedures that are in place to protect healthcare information and comply with HIPAA laws? Employees should be required to demonstrate that they acknowledge, understand, and follow all policies and procedures. They are there to help you, and understanding the importance of why a certain policy and procedure is in place could make the difference in saving your organization from a data breach.
  5. Security Awareness Training – The security tone from the top is the most important step, in any organization, to ensure that the organizational atmosphere is on the same page in being “aware” of PHI security. It’s important to educate all employees, in every facet of your organization, on HIPAA compliance, and the importance of HIPAA compliance.
  6. Annual External and Internal Penetration – Network and application security is critical to your organization. Performing annual penetration tests can be a strategic way to identify weaknesses and vulnerabilities in your organization’s security before someone else does.

Are you confident that you are doing everything you can to ensure the security of your PHI and your compliance with HIPAA laws? Email me at s.morris@ with any questions about strengthening the compliance controls at your organization, or if you’re in need of a third-party validation of your compliance.