Due to the increasingly digital nature of medical filing systems, there has been more and more emphasis on tight cybersecurity to protect files, but what are some of the best practices for physically protecting medical information in the digital age?
Physically Protecting Medical Information
With so much focus on architecting a secure IT environment that protects against outside attackers, organizations frequently overlook basic practices to ensure the physical security of medical data. For example, it is not unusual to still see a central multi-function printer (MFP) or fax machine for office-wide use. Due to the often-voluminous nature of medical records, these central MPFs frequently get left unattended for extended durations of time as they process hundreds of pages of medical documents. This problem can be compounded in busy office environments where multiple people need to make copies at the same time. This leaves a lot of opportunity for a bad actor, a careless employee (or even an employee not associated with a given patient’s care), or a random office visitor to accidentally view, or even take, information off the copy machine that they shouldn’t.
Another common example of a poor physical security practice is the lack of physical controls to restrict access to files, or the use of a common log in and password for network users. Even worse, offices that use a common log in for most employees often have the username and password written down on paper or a sticky note on or near the computer. This practice is exceptionally risky and should never be done, as it provides a far too simple means to access and steal information. Even if the log in and password are not written down near the computer, common usernames and passwords are generally easy to remember, and someone trying to steal information only needs to guess what it is to gain unfettered access to the network. Worse still, common profiles leave no way to identify who was the source of a breach, nor whether it was a bad actor or someone outside of the organization.
Best Practices in a Nutshell: Meet HIPAA, Then Go Beyond It
Most organizations have an idea of how to maintain HIPAA compliance and likely meet the minimum standards to maintain it, but that doesn’t mean that they should stop there. Even if medical and Personally identifiable information (PII) is adequately protected from cyberattack, is everything being done to physically protect that information? The absolute best practice for any organization handling medical and/or PII is to not only meet HIPAA, but to then go beyond it. A good starting point is to run an independent security audit to determine any gaps in security.
Best Practice #1: Run a Security Audit
In the modern digital age, data security is commonly thought of as an IT problem. While technology is a common attack vector for those trying to steal information, it is just as important to make sure proper physical controls are put in place to protect that information. Therefore, it is a vital component of any organization’s overall security and compliance procedures to leverage an independent security audit to check the strength of both their physical and IT security policies.
These audits can help organizations uncover previously undetected or unrecognized security issues. Some of the more common examples of areas where physical security is often found lacking is in controls to restrict unauthorized access to patient files and to prevent medical record mishandling.
Best Practice #2: Restrict Unauthorized Access to Patient Files
Regardless of whether patient files are digitally stored or kept filed away in filing cabinets, restricting unauthorized access to patient files is a must for organizations to stay in compliance with HIPAA. It is all too common for employees to look up patient information for the sake of office gossip, as a favor to a friend or relative, or just out of curiosity; all of these are HIPAA violations. For files that are physical, whether they be printed documents or files in the process of being digitized, physical controls should be put in place to prevent or disincentivize unauthorized access to files. This could include keeping files under lock and key or requiring unique, user-specific logins and passwords or biometrics to access the files. This helps prevent access by unauthorized employees and even thieves, while allowing for an access log to keep record of which employees retrieve files, helping to maintain accountability. Any physical files should be shredded leveraging a secure document shredding provider once no longer needed and/or are digitized.
In situations where medical records and files are stored digitally, it is vital to create unique, password-protected user accounts for all employees. As mentioned, it is not uncommon to see organizations leverage common organization- or user group-wide log ins and passwords even today. Worse still, these log ins are often written down on a sticky note on or near computer terminals for new employees or so that users who infrequently use the computer can easily log in. This should never, ever be done, as anyone who reads the log in information could now have unrestricted access to the organization’s network.
Best Practice #3: Leverage Modern Technology to Enhance Physical Security
In a similar vein as restricting unauthorized access to files, files being left unattended on a printer or fax machine, or even left behind in an examination room, is an all too common occurrence that can leave organizations open to a HIPAA violation.
These kinds of situations are typically brought on by the fast-paced nature of the medical field, the need to quickly and securely transfer information, and gaps in employee training. Many of these pain points can be addressed by leveraging modern secure file sharing technologies like XM SendSecure. XM SendSecure creates secure file sharing SafeBoxes that include two-factor authentication (2FA) and leverage multi-function printer (MFP) connectors. These connectors enable documents to be securely shared to a XM SendSecure Safebox directly from an MFP. SafeBox features help ensure that digital files are not accessed by unauthorized parties, as well as prevent printed documents from sitting idle and unattended on a central MFP. This not only helps prevent unauthorized parties from viewing documents; it also reduces the spend on secure shredding services as fewer documents will need to be shredded.
XM SendSecure also provides a highly detailed audit trail that captures every user interaction with a given SafeBox, capturing their log in credentials, IP address, and details of every action taken. The audit trail even features a byte-perfect download tracker, which can be used to ensure recipients downloaded a totally complete file. Not only can this audit trail be used to establish accountability for medical files, but it can help eliminate culpability in the event of a patient’s files being publicly exposed.
If you are unsure whether your organization is doing all it can to protect patient medical information or would like to learn more about how our suite of communications solutions can help your organization achieve and maintain HIPAA Compliance, take a look at our HIPAA Information Hub or reach out to one of our industry experts.