The Department of Health and Human Services’ Office for Civil Rights released its cybersecurity newsletter for August 2018 and told HIPAA-covered entities to be certain to employ physical, administrative and technical safety measures to keep the privacy, integrity, and accessibility of electronic protected health information (ePHI) protected. A similar care ought to be applied to ePHI that’s processed, transmitted and saved in digital media and equipment.
The healthcare sector benefits a great deal from using electronic gadgets like desktop computers, laptop computers, servers, cell phones, and tablets along with digital media including hard disk drives, zip drives, memory cards, tapes, and CDs or DVDs. Then again, these mobile devices/media are very susceptible to being lost, misplaced or ripped off. In case healthcare workers or threat actors ever obtain physical access to the gadgets and media, they could see, alter or erase the contained information, device configurations and even put in malicious software program such as ransomware or malware. In order to prevent such problems that put at risk the privacy, integrity, or accessibility of ePHI, it’s very crucial to employ physical controls.
With HIPAA 45 CFR § 164.310(a)(1), covered entities and business associates should have policies and methods that limit access to digital devices and media. There should be amenities where they’re stored. HIPAA Security Rule 45 CFR § 164.310(d)(1) calls for policies and methods that oversee the receipt and taking away of those gadgets in and out of the premises. There ought to be a monitoring system to ascertain the movement of the gadgets. These tight policies and processes are intended to secure ePHI all of the time.
In establishing policies and procedures for handling mobile digital devices and media, it is better that HIPAA covered entities and business associates take into account these questions mentioned by OCR:
- Are the site, movements, changes, fixes, and disposition of gadgets and media being monitored, which basically covers all the life cycle of the gadgets/media?
- Is the individual accountable for every device and media which include the unit’s movement documented?
- Have the workers as well as the management been trained to effectively manage the devices/media to make sure the safety of ePHI all the time?
- Are there proper technical controls being used like encryption, audit and access controls to protect the privacy, integrity, and accessibility of ePHI?
Monitoring digital devices and media may be accomplished in a number of ways. Manual tracking may be utilized by smaller healthcare companies that just have a minimal number of devices/media. However this could be hard if there are numerous devices being used. Using customized inventory management program and databases might be far more beneficial. The suggestion of OCR is to make use of a bar-code system or perhaps RFID tags for simpler organization, identification, and monitoring of the gadgets and digital media.
Before choosing what device and media control to use, healthcare companies and business associates need to take into consideration
- the outcome of a risk analysis and under-going risk management processes
- being familiar with the size, the nature and functionality of the hardware systems and software program not to mention the technical infrastructure
- figuring out the price of implementing safety measures
- analyzing the possibility and criticality of prospective risks to ePHI
The end of use of devices/media should likewise be considered in creating policies and procedures. All ePHI kept on the devices ought to be deleted for good to avoid the reconstruction or retrieval of data. This safe disposal of ePHI was brought up by OCR in its July 2018 cybersecurity newsletter.
Establishments that are unsuccessful to monitor digital devices and media and ascertain that ePHI is adequately secured all the time are at risk of HIPAA penalties for non-compliance. The latest case in point is the inability of University of Texas MD Anderson Cancer Center’s to use ePHI encryption on mobile digital gadgets. That data breach ended in a civil monetary charge of $4,348,000.