HIPAA Rules stipulate that organizations must put safeguards in place to ensure that the integrity and security of protected healthcare information (PHI) is maintained. According to the HIPAA Security Rule, administrative, physical, and technical safeguards must be implemented to achieve maximum protection of patient information. Individual organizations are able to assess their own situations and determine which safeguards and best for their circumstances and their patients’ welfare.
A key aspect in ensuring that the integrity of PHI is maintained is ensuring that adequately secure passwords are used. This administrative safeguard is a basic, yet fundamental, measure for ensuring that only authorized individuals may access patient information. The HIPAA Security Rule, under the section relating to Security Awareness and Training, stipulates Covered Entities (CEs) must implement “procedures for creating, changing and safeguarding passwords”.
There are several commonly known procedures for creating a “strong” password, which may be a long combination of upper case and lower-case letters, numbers, and special characters. Many experts recommend the use of password management tools is a good way of complying with HIPAA password policies. These tools are effective against those who want to obtain the passwords for malicious purposes as, although they can be hacked, the software saves passwords in encrypted format. This renders them unusable by hackers and ensuring that patient data is kept secure.
In spite of the common advice that passwords should be changed on a regular basis, many cybersecurity experts argue that this is a futile act, as competent hackers should be able to obtain user-generated passwords quickly. Therefore, it doesn’t matter how often they are changed.
In addition to the use of password management tools, many experts recommend two factor authentications as an excellent HIPAA-compliant safeguard. This works by requiring a user to input a PIN code, which is sent to their phone or email account, when they attempt to login to the system using their username and password. As a unique PIN code is issued with each log in attempt, a compromised password alone will not give a hacker access to the secure database.
Two factor authentication fulfils HIPAA password requirements as it can act as an alternate, but equivalent, security measure to creating, changing, and safeguarding passwords. This works due to the “addressable” requirements stipulated by HIPAA. Addressable requirements mean that Covered Entities can “implement one or more alternative security measures to accomplish the same purpose.” As HIPAA password requirements function to “limit unnecessary or inappropriate access to and disclosure of Protected Health Information”, two factor authentications may be used by healthcare professionals instead to protect their patient’s PHI.
Physical safeguards are often overlooked by healthcare professionals, but are very important, and arguably the easiest way to ensure that the integrity of PHI is maintained. The US Department of Health and Human Services Office of Civil Rights (OCR) recently emphasized the importance of physical safeguards in their May 2018 Cybersecurity newsletter.
The physical HIPAA data security requirements may refer to the physical locations in which computer hardware is maintained and ensuring that these are secure locations for the storage of PHI. Complying with these guidelines may achieved very easily; something as simple as ensuring that laptops containing sensitive information are kept in a locked drawer when not in use is an effective measure against data theft.
It is vital that employees are made aware of the safeguards in place and trained in maintaining the integrity of PHI. Many facilities are already using safeguards such as two factor authentication, but it is expected that as the use of mobile devices becomes more common in healthcare environments, PHI may be increasingly at risk. Ensuring that adequate physical, administrative, and technical measures are in place is vital to HIPAA compliance.