Better coordinated care and patient satisfaction often depend on health data being accessible to all care team members. This includes specialists and affiliated clinicians. But as health care providers expand their sharing capabilities, they often face increasing threats to data security.
A recent study found that, within the evaluated medical databases, around 30 percent were easily exposed to hackers. And while health care is trying to expand data sharing between health professionals, cyber-threats like ransomware are on the rise.
As technological abilities expand, medical organizations need to be investing in more and more data protection. Otherwise, they risk losing credibility and patients. Not surprisingly, if these health systems lose trust, revenue will soon follow suit.
All this to say, securing patient data needs to be a top priority for health systems. But with growing patient needs and government regulations, many systems find it difficult to stay on top of tech security. Because of this, providers need to vet their vendors to make sure patient data is appropriately safeguarded.
Security is Getting More Difficult
The protection of patient information is becoming more challenging. There are several reasons for this.
In the past, medical records stayed in a file cabinet at the office under lock and key. Now, however, clinicians may have access to patient or client data via portable devices such as laptops or cell phones.
These devices make protected health information (PHI) more accessible to health care teams. But that also means health care metrics are no longer under lock and key. Patient information can be easily stolen from unattended cars or backpacks without ever needing to hack firewalls.
Even displays of newborn photos in obstetrician offices are now considered a potential breach of patient privacy. Needless to say, keeping up with HIPAA regulations that safeguard PHI is becoming more challenging for providers.
To complicate matters, hackers are constantly creating new ways to infiltrate other lucrative PHI sources. Consequently, data encryption and firewalls must be regularly updated and improved. If they’re neglected, it’s only a matter of time before security is breached.
Why is Data Security So Important?
Data security matters because it directly affects patients and clinicians.
In order to make sure patients aren’t confused with other patients, care teams need to store private identifying information. This information includes social security numbers, home addresses, phone numbers, and even family connections. This means that any breach of PHI can lead to sensitive records being placed in the wrong hands.
For patients, these stolen identities can result in theft, fraud, felonies, and financial losses. This is why secure patient data matters so much. Patients need confidence that their personal information will stay in the right hands and not lead to personal loss.
Medical practices, whether small or large, are liable for security breaches under the HIPAA act. Providers can be fined around $700 per stolen medical record, leading to profit losses and financial stability.
In order to improve their revenue and their metrics for health care delivery, providers need to ensure that patient data is secure 24/7. But with data spread out within medical organizations and with other vendors, securing PHI is becoming more and more challenging. That’s why providers need to make sure any outsourced agencies take a proactive approach when it comes to PHI.
Five Essential Questions to Ask Vendors
To safeguard your program from data breaches, it’s important to ask the right questions of vendors before entering a contract:
1. Do You Have a Business Associates Agreement?
A Business Associate Agreement (BAA) protects medical organizations in the event that the vendor violates HIPAA requirements. It gives providers legal recourse that can protect their reputation and financial resources should a contractor infringe on patient rights.
Not signing this agreement could open providers up to millions in fines in the case of a data breach. These documents are necessary protection for any organization under HIPAA that’s contracting with other health tech vendors.
2. How Do You Regulate Security?
All vendors should have security controls in place that monitor the way they handle patient data. Employees of digital health contractors need to be vetted through pre-employment background screenings.
In addition, employees and subcontractors should be monitored to ensure they are adhering to security regulations. They should also receive regular training to stay up to date with the most recent trends or threats to PHI.
Per the HIPAA Security Rule, organizations need to document these procedures as well as conduct risk analyses that prevent security breaches. Information should only be accessible to those who need the data to perform their responsibilities. As such, data needs to be restricted—even to vendors’ employees.
3. How Do You Ensure HIPAA Compliance?
HIPAA is king when it comes to patient privacy and secure data. Any digital health vendor should regularly submit themselves to audits that assess their compliance with these regulations. These audits should cover areas such as data, policies and systems. In addition, vendors should be willing to share their results to those that they’re under contract with.
Suffice it to say, medical companies need to be able to trust that vendors will help boost health care quality metrics by ensuring that your patients trust providers with their sensitive information. Because HIPAA compliance is often synonymous with trustworthiness, vendors must prioritize these measures. If they don’t, this is a solid reason to consider other options.
4. How Do You Encrypt Sensitive Data?
While HIPAA encourages encryption, the HITECH act makes it necessary. These regulations protect organizations that encrypt information prior to a breach from the penalties normally associated with security failure.
Data should be encrypted whether it’s at rest or in transit to ensure hackers can’t easily access these records. In addition, information shared over the internet should be protected by TLS or SSH encryption.
5. What Are Your Policies and Procedures in Case of a Data Breach?
No one wants to face the worst-case scenario. However, a trustworthy digital health company will have documented plans in case of a data breach.
While vendor policies may vary, program directors need to know that they can reach the right person in a timely manner. Medical organizations need to know that vendors have taken a rational, well-planned approach to a data breach. They don’t want to be reacting to a high-stress situation on the fly or on the defensive.
Vendor Example: How Welkin Protects Patient Information
Proactive Approach to Data Risks
The Welkin team believes protecting security and privacy isn’t just a business or regulation requirement—it’s a duty. To improve quality of care for patients, providers need to know that they can trust Welkin’s digital privacy protection.
Welkin’s tools are designed with multiple layers of encryption and protection. When at rest, data is protected on Amazon Web Security. Amazon set the standard for modern day security, availability and control. Employee workstations have an additional level of protection with OS X’s FileVault 2.
Procedures and Reviews That Really Work
Welkin’s team is never complacent when it comes to privacy risks.
We conduct regular scans of code and dependencies. In addition, employee workstations are monitored for unusual behavior. This includes improper file access or changes to production access controls. By default, our system denies access to unauthorized users as an added protection.
Our platform undergoes an annual audit to ensure our security isn’t becoming outdated or compromised. Welkin is proactive when it comes to new risks against secure patient data. That’s why we hold monthly security reviews and brainstorming sessions with all technical teams.
In addition, any new hires must undergo pre-employment screenings. Post-hire, employees participate in security awareness training and are evaluated bi-annually based on adherence to security policies and values.
Well-defined Protocols for Incident Management
Welkin is never one to stand still when it comes to secure data. Welkin has documented procedures to help deliver decisive, effective responses that minimize damage to patient records.
Our protection protocols include a retrospective analysis of the data breach to prevent any related threats in the future. In addition, our engineering team is on call 24/7 for quick investigation and solutions.
When it comes to security threats, we’re here for you day or night.
To learn more about how we protect patient data, download our whitepaper.