Most of the security breaches that make headlines happen in big provider or payer organizations, but that doesn’t mean physician practices aren’t vulnerable to attack.
In fact, most practices don’t properly safeguard protected health information (PHI) and their electronic medical records are easy pickings for cyber thieves, according to Medical Economics.
“Lots of hackers target smaller businesses because they won’t have the necessary expertise on staff to fully secure their system,” Gerard Nussbaum, a Chicago-based healthcare consultant and attorney, told the publication.
RELATED: Healthcare data breaches are 'significantly underreported' as information sharing challenges persist
Here are three steps practices can take to help protect patients’ PHI, as required by HIPAA:
- Conduct a security risk assessment. This is not only required by HIPAA but also the Meaningful Use EHR incentive program and the Merit-based Incentive Payment System.
- Don’t store PHI on user devices. That means not only laptops and mobile devices but also desktop computers. Encryption is crucial.
- Authenticate users to prevent unauthorized access to your systems. Teach employees password best practices and change passwords frequently. Two-factor authentication, such as a fingerprint or some other factor, can take security to the next level.
RELATED: Cybersecurity: What 2016 taught the healthcare industry
Practices may soon find help from a new resource. The Department of Health and Human Services is planning to roll out the National Cybersecurity and Communications Integration Center in June. The center will help educate health organizations about the risks of using mobile applications and data.