Securing Your PHI

A few months ago when I wrote about data security and needing a giant slice of PHI (haha – “pie” get it?), I had no idea that right around the corner America’s privacy would also be such a hot topic. We serve many clients in the healthcare industry and I understand the importance – and our responsibility – of keeping data private.

On a personal note, I’m sure there is huge concern now that it is legal for Internet Service Providers to sell anyone’s entire web browsing history without your permission. Uh oh.

That being said, protecting our customers’ piece of PHI (Personal Health Information) is even more on our minds than ever before. In case you missed my previous blog, PHI generally refers to: demographic information, medical history, test results, insurance information and other data that is collected to identify you and determine the best care.

The transition to digitized health data is relatively recent, and breaches of this information can wreak havoc in the wrong hands, having serious economic and other consequences for patients and providers alike. Unfortunately, the healthcare industry is not quite as resilient when it comes to stopping cybercriminals like the financial and retail sectors (which have already gone through their fair share of hacks). Cybercriminals recognize that PHI can be a money-making machine in a less secure environment.

That is why protecting our/your PHI is so important. But don’t stress. There are many resources that you can use. This one, Top Ten Tips for Cybersecurity in Health Care, by Dept. of Health and Human Services (HHS), can apply to any size organization.

Some of the more obvious tips include: use a Firewall, install and maintain anti-virus software, maintain good computer habits, control physical access to devices and information, use strong passwords and change them regularly.

But out of the 10 tips, these five may be a little less obvious or harder to achieve:

1) Establish a security culture: Educate your employees and foster security-minded behaviors so they become automatic. My entire staff undergoes special training (related to all of our security certifications) to ensure they follow very specific protocols when handling sensitive communications.

2) Protect mobile devices: If the devices cannot support encryption, don’t use them! Set up strong access controls.

3) Plan for the unexpected: Create regular and reliable data backups.

4) Control access to health information: Configure electronic records to only grant access to people with a need to know. I can also gladly say there are specific processes in place at my plant, along with safeguards – like limited user access to certain areas, shredding overages, etc. This allows us to adhere to HIPAA compliances, and avoid an audit by the HHS Office for Civil Rights (OCR) who enforce those HIPAA regulations.

5) Limit network access: Prohibit installation of software without prior approval. Prohibit casual network access by visitors.

We have a ton of protocols within the plant to prevent an “uh oh” type of mistake. Our staff is trained and prepared to handle the most sensitive of data. And all of our custom technology is built upon a set of reusable core modules that meet RR Donnelley’s stringent level 4 security requirements.

Your PHI is safe with us.