By Stephen Cavey, co-founder, Ground Labs.
Since the invention of the stethoscope, technology and innovation have been transforming how the healthcare industry delivers improved standards of care for individuals in every field of medicine. A more recent example of this is the widespread adoption of telehealth capabilities to bring care directly to patients no matter where they are.
This adoption trend has accelerated in response to COVID-19, when the use of telehealth technology skyrocketed with 48% of physicians meeting patients online in April. Since then, telehealth appointments have begun to level off and decline, but over the past year and the foreseeable future, telehealth and the delivery of care through screens and mobile devices will likely play a key role in the future of healthcare.
However, the increased use of telehealth creates additional risks stemming from increased data generation and data sharing such as video recordings, email exchanges between physicians and patients, and broader sharing of protected health information (PHI) between patients, providers and third-party organizations. This level of sharing increases the likelihood that data may become stored in an unsecured location. As for the healthcare providers and all other organizations that handle PHI, the challenge is now to get a better grasp on compliance, protect patient data and mitigate the risk of malicious actors or reputation damaging fines. Here’s how to do it:
Understanding the Rising Risk to Patient Data
The Health Insurance Portability and Accountability Act (HIPAA) was established in 1996 and has since served to give patients power over their health records and hold healthcare organizations and their partners accountable for safeguarding the PHI data of patients.
HIPAA generally applies to PHI in all forms, but the Security Rule applies specifically to electronic PHI (ePHI). And as telehealth becomes a new normal and the administrative workforce continues to work remotely, ePHI’s presence will proliferate making compliance an even more extensive task. Meaning that while telehealth offers many tangible benefits to patients and providers, it is also a double-edged sword that requires heightened attention not just now but at all times. Here are a few things to keep in mind:
- The Prevalence of Remote Work
Not only are charts and health history reports being shared virtually among medical practitioners, but so are patient schedules, billing and insurance claims as backend professionals work from home. As organizations continue to work remotely, it is critical to understand the new level of risk associated with it. If 2020 was about adjusting to new business practices, 2021 will require organizations to find as much data management continuity as possible.
- Providers Are Accessing PHI Outside of Medical Facilities
In addition to backend administration workers being remote, providers, nurses and other medical staff are also accessing records in new diverse locations. Gone are the days of picking through a full filing cabinet to find handwritten patient information. Providers, nurses and even medical scribes now have the ability to access ePHI at the tip of their fingers and on multiple devices. As healthcare continues to move virtually through telehealth and apps, how and where that information is being accessed will be a major challenge to HIPAA compliance.
- New Forms of Communication
Video-consultations and in-app doctor visits mean that healthcare entities are increasing the surface area in which patient data resides. While the Department of Health and Human Services has waived penalties for the use of video communications services that do not comply with HIPAA to provide telehealth services, the risk to ePHI remains real.
Ways to Audit and Mitigate Risk
Healthcare has always been a primary target for cyber criminals. However, the increase in vulnerabilities derived from telehealth services have led hackers to seek new and creative ways of exploiting hospitals and patients amid coronavirus. To protect your healthcare system and more importantly, patient trust, consider the following tips.
- Educate Employees
As the value of data continues to increase, organizations need to trust that employees are making smart decisions with sensitive data. These data decisions can have a direct impact on business success, so it is critical that security officers invest time in interactive training that show employees the direct role they play in mitigating risk. It is important to regularly update training protocols and keep employees informed on the latest company data management protocols.
- Audit Company Data
In order to safeguard patient data, you must understand where it lies, how it is transported and who handles it. Conducting a data discovery sweep of the entire network, from folders and communication channels in addition to internal databases and cloud servers is important to understand the likelihood of a data breach and the severity of the impact.
- Use a Security Risk Assessment Tool
Finding, managing and mitigating risk is a large responsibility for a single CCO or compliance committee to complete on their own, especially as data continues to disperse across networks. The HIPAA Security rule calls for all covered entities and third parties to perform a risk assessment of their organization. Having the tools necessary to conduct an in depth and accurate audit will set organizations up for an accurate formal risk assessment.
As the healthcare industry continues to grapple with the challenges of COVID-19, it is critical to deliver care to patients beyond the four walls of the hospital. However, data privacy and security must remain top of mind, and while certain HIPAA compliance rules have been waived or laxed in response to the pandemic, malicious actors are working around the clock to infiltrate networks. Taking the steps to ensure HIPAA compliance will help organizations be better prepared as their networks continue to expand in the face of remote work.