Data Security and HIPAA Compliance: What You Need to Know

As the healthcare industry continues to digitize, concerns around data security and HIPAA compliance are growing. Think about it: patients and providers are interacting via text, online chat, and video visits now more than ever, making personal health data seemingly more vulnerable to exposure via security breaches. 

In fact, cyberattackers are increasingly interested in healthcare organizations, initiating phishing attacks to access health records (which can garner $1,000 a piece on the black market), introducing ransomware to earn high dollar payouts, and spying on pharmaceutical and biotech IP.

At the same time, your patients entrust you with some of their most personal information (like Social Security Numbers and confidential health records). They also value convenience and want to continue communicating with you digitally, so finding a solution that is both secure and convenient is key.

To help you increase data security, remain HIPAA compliant, and deliver a stellar patient experience in the process, we put together the following cybersecurity guide. It covers what to look out for, how to protect your practice, and more.

Understanding cybersecurity threats against the healthcare industry

The first step to protecting your data security is to understand what a cyber attack actually looks like. In most cases, it’s a phishing email that includes dubious links or attachments containing malware, ransomware, or similar threat. If you click on a link or open an attachment, you risk compromising your organization’s data security.

How to spot a phishing email

According to HIPAA Journal, phishing emails are used in 91% of cyberattacks. These are 100% preventable, so long as you can spot a phishing email and not fall for their bogus links or attachments. Fortunately, they have similar characteristics—and, once you know what to look for, they’re relatively easy to identify and avoid. For example:

• Familiar sender: The sender is typically disguised as a company or individual you know and trust. 
• Strange “from” email: If you look closely, you will likely see that the “From” email address has a strange URL associated with it. For example, if someone was pretending to contact you from Klara, the sender email address might be “info@web.klara.co” instead of “info@klara.com.” 
• Generic greeting: The email is usually not personalized to you. Instead, it starts with “Hi” or “Hey there” or “Dear Customer.”
• Panic and/or urgency: The subject line and overall content of the email conveys a sense of panic and/or urgency, with references to bogus account issues, billing questions, etc. 
• Typos: There are usually spelling and grammatical errors throughout the email.
• Suspicious links: Dangerous links are usually hiding behind seemingly innocuous text, like the real company’s actual URL. Before clicking, hover over it to see where it actually redirects.
  

*Pro Tip: Note that cyber attackers are becoming increasingly more sophisticated, so their phishing attempts might be more difficult to spot. If you’re ever suspicious of an email from a trusted company or person, our recommendation is to call that company or person directly to see if the email is legitimate. If it’s not, then report it to the FTC.

Your responsibility as a HIPAA-compliant healthcare provider

The last thing you want to deal with is a security breach that ultimately exposes your patient’s protected health information. In addition to reporting phishing emails (and not falling for their click-bait), you should also have protocols in place to remain HIPAA compliant.

By definition, the HIPAA Security Rule “requires covered entities to maintain reasonable and appropriate administrative, technical, and physical safeguards for protecting electronic protected health information (ePHI).” In general, this means not disclosing or making available ePHI to unauthorized persons. For a full breakdown of your HIPAA obligations under the Privacy Rule and Security Rule, click here.

How to Prevent Data Security Breaches at Your Practice

There are a number of ways to maximize your practice’s cyber security. Here are four of them:

1. Train Staff: As we mentioned previously, phishing-related attacks are preventable. You and your staff just need proper training. While the characteristics outlined above are a great place to start, you should also consider hiring a security firm to run a more in-depth training on how your team can remain vigilant and safe online and while using a mobile device.
2. Control Access: Identity Access Management (IAM) is a big buzzword in the security space. It refers to an organization’s process for controlling who has access to what systems, applications, networks, etc. For you, this could mean setting specific rules and restrictions on who can access EHRs and what login information is required for entry.
3. Run Risk Assessments: If you’ve ever wondered where you’re most vulnerable from a security perspective, you can run a risk assessment with a security firm or consultant – or on your own using the Department of Homeland Security’s Cyber Resilience Review.
4. Invest in a Security Team: Because of the rising cyberattacks in healthcare, you may want to consider investing in a security team. You could hire someone to manage security in-house, or outsource to a security firm or security consultant. They can help you identify vulnerabilities and ensure you have the proper internal protocols in place.

Secure Patient Communication

A huge component of your security protocol should be around patient communication. These days, patients are more interested in digital interactions with their medical providers, preferring texts to phone calls or online portals, and video visits whenever possible. With a solution like Klara, you get the best of both worlds: secure messaging that’s also convenient for your patients. 

We take security very seriously at Klara and strive to ensure your patient interactions are safe, HIPAA-compliant, and offer a delightful patient experience. This means no app downloads or cumbersome patient portals. Instead, patients enjoy a seamless and secure text conversation with you and your staff. For example:

• One-time passwords. When a patient tries texting you, Klara verifies their identity by sending a one-time password and asking the patient to provide their date of birth matching the practice’s medical records.
• Password-free logins. With Klara, all patient-provider communications can be saved to a single conversation thread that, to the patient, appears as a text chain. You can send appointment reminders, video visit links, requests for insurance and other consent forms, and more. To access this ePHI, your patients simply click on a link from the text message, then verify their identity by providing their date of birth.
  

At the end of the day, being proactive about your cybersecurity is the best way to prevent data breaches or other cyber attacks. To get started, create a security plan and provide your staff with proper (and ongoing) training. Just don’t forget about the patient experience in the process.