These days, hospital leaders need to be worried about more than just their facilities’ cybersecurity. They also need to think about how securely their business associates (BAs) – particularly electronic health records (EHR) vendors – are storing patients’ personal data.
Healthcare execs must know exactly how well their EHR vendors and BAs are guarding patients’ protected health information (PHI).
Reason: The feds have warned that hospitals’ BAs will be scrutinized for compliance with HIPAA’s privacy and security rules just as closely as providers and facilities are.
But not all BAs understand HIPAA compliance and PHI security. And their errors could backfire on hospitals.
Thankfully, one group is helping leaders with new guidance about how to secure their EHRs – and how they can evaluate BAs’ security.
Keeping EHR, mobile data safe
The National Cybersecurity Center of Excellence (NCCoE), an organization associated with the National Institute of Standards and Technology, recently released guidance about how to protect PHI in a variety of settings, such as when EHRs are accessed through mobile platforms.
As the report notes, many physicians now conduct some of their business on private mobile devices, which could bypass system security measures set up on a hospital’s computers and devices.
Additionally, more facilities are investing in mobile solutions, such as cloud EHR storage, without properly assessing the associated security risks.
The NCCoE’s guidance helps leaders prepare for security challenges in these situations. It offers methods for securing EHR infrastructure, and it also gives examples of cybersecurity issues and outlines the practical steps facilities can take to reduce risks or respond in the event of a breach.
For example, the report offers a method for responding if a doctor’s mobile device with PHI stored on it gets stolen or lost. In this case, the report recommends configuring devices so sensitive information can be remotely deleted.
The guide also has a strategy to limit data access if a hacker manages to infiltrate your system.
Watch for vendors’ shortcomings
Another valuable part of the NCCoE guidance is a questionnaire leaders can use to help evaluate vendors’ security capabilities – particularly cloud EHR vendors.
These kinds of tools are especially important now as several vendors have dropped the security ball this year, leading to high-profile and high-cost data breaches.
Example: Medical Informatics Engineering (MIE), an EHR vendor, recently notified people that it experienced a breach back in May, which compromised the PHI of its clients’ patients. MIE discovered hackers had accessed its main network and servers, containing information like patients’ names, addresses, medical conditions and Social Security numbers.
Now, as Health IT Security reports, the vendor is facing the first of what could be many class-action lawsuits about the breach. Specifically, one of the affected patients is claiming that MIE should pay damages because it didn’t do enough to secure PHI and prevent the breach, and failed to notify affected patients in a timely manner.
It’s not uncommon for hospitals to get dragged into these kinds of disputes, so cases like this show why its important for facilities to choose their BAs and EHR vendors carefully.
Hospitals could get blowback and extra scrutiny from the feds due to BAs’ HIPAA violations. With that in mind, it’s important to ensure data security and HIPAA compliance before signing any contracts or agreements.
