2021 HME Business Handbook: Software/IT
Evaluating Protocols For Secure, Anywhere Access
There are a lot of trends driving remote patient and staff connectivity, but it is essential that provider maintain data security. Here are measures your HME business can implement.
- By Jerry Dennany
- Jun 01, 2021
The age of remote work
is upon us. While most
HME staff have returned to work
in person, many are maintaining
some level of flexibility for remote
access. With this, it’s time to
re-evaluate policies put in place
during the pandemic and establish
a sustainable, long-term plan
that adjusts and reinforces your
security protocols for every work
environment.
Recent headlines of ransomware
attacks are stark reminders
of how important it is to secure
a business’s data. With the
U.S. Department of Health
and Human Services (HHS)
reporting more than 600 significant breaches in 2020, up from
roughly 500 in the previous
year, data breaches of healthcare
organizations are becoming more
prevalent year after year. And
while over two-thirds of last year’s
breaches were considered “hacking
incidents,” a significant number
of unauthorized disclosures were
reported along with a handful
of lost or stolen unencrypted
computing devices.
In today’s digital world,
patients have high expectations
that their personal information
is safe and protected. A business
that fails to secure its data would
not only be reportable to CMS and
at risk for penalties; it also risks
losing the trust of its patients and
partners.
If the most important part of healthcare
is providing care, a close second is
caring for patient data, including their
protected health information, personally
identifiable information, and credit
card or payment card industry data. Here
are measures to ensure your business
is protected from cybersecurity attacks
whether working in person, at home or
somewhere in between:
TRAINING AND PRACTICE
Provide adequate training for employees
on common tricks from threat actors,
such as socially engineered and phishing
attacks. Reinforce that knowledge by
practicing key events and running through
scenarios with your leadership and security
teams. You need to understand your
team’s weaknesses and vulnerabilities so
you know where you can improve.
TALK TO THE EXPERTS
Once you know where you need to
improve, consult with professionals who
can teach those specialized skills with
activities like penetration testing, which
is required if you collect credit card
information through your website, and
information lifecycle management, which
ensures various types of data, including
patient, financial, and marketing data, are
properly protected.
PHYSICAL AND DIGITAL SECURITY
Ensure secure visibility across all
digital infrastructures, from servers
and employee computers to firewalls
and virtual private networks, or VPNs.
Computers and other access points to
data should automatically lock after 10 to
20 minutes of inactivity. Information retention
policies should be updated to include
the discussion and disposal of confidential
information at shared locations and
around others. Physical buildings should
also be secured with card key access and
robotic systems, like cameras and HVAC
computerized control systems, should be
monitored by your security team.
SECURE YOUR PARTNERS
It’s not enough to ensure your data system
is protected. Your system is just as vulnerable
to an attack if your outside partners
do not also have adequate security
protocols in place. Communicate with your
partners to make sure they have a robust
security program and monitor all “backdoor”
access they have into your system.
KNOW THE LAWS
Stay up to date on relevant federal and
state laws regarding the storage of
employee and customer information,
especially for health data protected
under the Health Insurance Portability
and Accountability Act of 1996, which
has more stringent standards. States like
California have specific regulations, like
the California Consumer Privacy Act, that
are important to be aware of as well.
As you connect more with patients and
other providers, you must proactively
monitor and protect your employee and
patient data. While the pivot to hybrid
work environments highlights new needs
in data access, it is just as important to
hammer down the basics of the physical
and digital security of your business and
that of your partners.
POINTS TO REMEMBER
- Having a robust security program
means both physical and digital
protection — make sure there is no
“backdoor” access to your building
or your data.
- Learning and practicing is the key
to knowing your organization’s
security inside and out — know
where you need help and call on
experts for guidance.
- “Sharing is caring” is a great policy
for a strong partnership — communicate
with your partners and make
sure both your data systems are
secure.
LEARN MORE
To read more articles about IT for
HME businesses, visit hme-business.com/software, and to learn more
about secure business management
solutions, visit www.brightree.com.
This article originally appeared in the May/Jun 2021 issue of HME Business.
About the Author
Jerry Dennany is Chief Technology Officer at Brightree, where he leads the research and development and IT functions across the company’s portfolio of cloud-based post-acute care solutions. He has more than 20 years of technology leadership experience. Reach him via email at [email protected].