5 tips for enhancing HME & pharmacy information security
By Jerry Dennany, Chief Technology Officer at Brightree
As an HME or pharmacy home infusion provider, your patients place their trust in you to get them the care they need to live a healthier life. At the same time, they entrust you with some of their most valuable property: their private financial and health data. Electronic health records (EHR) are commonplace, automated billing systems make managing finances a breeze, and practically endless messaging options have providers communicating with patients through apps, email, texting, and more. This trend toward swift electronic documentation and easy information access raises a significant question: how do you continue to protect your patients’ privacy? If information security isn’t a top concern and priority for your technology team – it should be.
Data breaches of electronic patient-provider information are becoming more prevalent every year, with the U.S. Department of Health and Human Services (HHS) reporting well over 600 significant breaches in 2020, up from 500 or so in the previous year. While over two-thirds of last year’s breaches were reported as “hacking incidents,” a significant number of unauthorized disclosures were reported along with a handful of lost or stolen unencrypted computing devices.
If the most important aspect of working in the HME or pharmacy home infusion industry is providing care, a close second is caring for patients’ protected health information (PHI), personally identifiable information (PII), and credit card or payment card industry (PCI) data. While a deep dive into each of these types of data is beyond the scope of this article, there are some common questions you should ask yourself to help hold the wall against bad cybersecurity actors.
In this article, we’ll answer the questions:
HIPAA Security Rules require your healthcare organization to name HIPAA security officer. Many smaller and mid-sized organizations assign this role as an additional responsibility for an existing executive. While this is perfectly allowable, it is difficult to manage an in-depth security program under these circumstances successfully. It is in your best interest to name a separate Chief Information Security Officer (CISO), as well as a HIPAA Security Officer. At a minimum, organizations should ensure adequate time and resources are allocated to the named security officer as well as the overall information security program. Substantial annual training should be available to your security officer to stay on top of rapidly shifting cybersecurity threats.
A key step in creating a robust information security program that is appropriate for your team is to perform an information security risk assessment that will help you prioritize where your organizational energy should be spent. No two healthcare companies are exactly alike, and certain cybersecurity threats will be unique to your organization. It’s recommended that you consult with an information security professional regarding your unique risks, but here’s a framework to get you started considering what threats you may be facing.
- Identify your information assets
- Enumerate potential threats
- Identify potential vulnerabilities
One of the most important things you can do to preserve patients’ protected information is create a culture of security within your company. Phishing is a common vector of attack across all modern organizations, and training for all employees and contractors on how and where these attacks can occur is an essential part of any security program. Additional testing of this training via simulated attacks will ensure the training materials are translated to practice. Additionally, employees must feel empowered to question emails and other communications that seem suspect. For example, encourage employees to call any person in the company, including the CEO, to confirm the authenticity of a message that looks suspicious, and prepare executives to answer questions confirming their email communications.
The practice of “War Gaming” potential attacks has been a staple of military campaigns for thousands of years. This practice can be equally valuable as a tabletop exercise in which a facilitator creates a healthcare cybersecurity threat scenario and key employees walk through their reactions and responses to the simulated threat. For example, the facilitator could create a fictional scenario in which several employee laptops have been compromised by ransomware. How does your team respond? Talking through these scenarios can help your team better understand where improved policies, procedures, and tools may be needed.
The short answer: all of it. Lost or stolen laptops, mobile devices, and portable storage devices are particularly worrisome for HME and pharmacy organizations that keep confidential data on these endpoints. All modern operating systems for laptops, desktops, and mobile devices offer disk encryption options, though sometimes they must be specifically enabled. Do not skip this step – ensure every storage device in your company has encryption enabled. Additionally, ban vulnerable US thumb drives and other removable disk drives in your environment, whether encrypted or not.
As healthcare records become more universally digitized, healthcare information is a valued target to threat actors worldwide. Protecting patient health information is an ever-vigilant task, and your response must adapt as these threats change. Building an excellent information security program starts with empowering your teams to operate in a security-first environment without impacting patient care.
Jerry Dennany is the Chief Technology Officer at Brightree
where he leads the research and development and IT functions across the company’s portfolio of cloud-based post-acute care solutions. Jerry brings more than 20 years of healthcare IT software engineering experience, driving innovation by designing and implementing highly scalable, performance-driven solutions across the continuum of healthcare. Prior to joining Brightree, his roles included serving as the Senior Vice President of Technology at Medicity, Chief Technology Officer at RazorInsights, Vice President of Platform Technology at Allscripts, and key architectural and engineering positions at Eclipsys, Roche Diagnostics, and McKesson.
Jerry Dennany is the Chief Technology Officer at Brightree
where he leads the research and development and IT functions across the company’s portfolio of cloud-based post-acute care solutions. Jerry brings more than 20 years of healthcare IT software engineering experience, driving innovation by designing and implementing highly scalable, performance-driven solutions across the continuum of healthcare. Prior to joining Brightree, his roles included serving as the Senior Vice President of Technology at Medicity, Chief Technology Officer at RazorInsights, Vice President of Platform Technology at Allscripts, and key architectural and engineering positions at Eclipsys, Roche Diagnostics, and McKesson.