By Stephanie J. Rodin, Esq.
From a legal perspective, cybersecurity means that all confidential information, including patient health information (PHI), in a healthcare provider’s database or server is protected, confidential, and completely compliant with the Health Insurance Portability and Accountability Act (HIPAA).
In order to do so, healthcare providers should:
- Conduct a risk assessment of their data;
- Develop and institute data security policies; and
- Test the effectiveness of those policies to make sure that they are running correctly.
In the first part of the risk assessment, the healthcare provider should identify sensitive data, including names, Social Security numbers, facial photographs, email addresses, health information, and anything that’s considered confidential and protected pursuant to the law. All PHI should also be encrypted, as mandated by HIPAA.
The next step is to assess the risk of exposure. For example, what’s the risk of data being exposed through a security breach or because someone inappropriately obtains access to private and protected information? Is there a technical risk? Is there a risk for human error? Is there a physical security risk, such as the place where the sensitive data resides in the office or storage unit? Or perhaps there is a virtual security risk from the network access controls or password protocols being utilized by the practice?
Read more ›