HIPAA Data Handling Solution
Not having the appropriate means to protect PHI not only puts patients at risk, but will cost a healthcare entity anywhere from thousands to millions of dollars in HIPAA violation fines. This lack of security can also lead to a tarnished reputation as a secure and trusted source for medical care.
Hospitals and other medical care centers must maintain PHI access logs, prevent unauthorized access to PHI, provide appropriate HIPAA and security awareness training, and implement procedures to ensure the confidentiality, availability and integrity of PHI. This important data can include names, addresses, medical conditions, primary physicians, insurance providers, and social security numbers.
There are many steps to take to protect people’s PHI. Following these tips can reduce the risk of a costly and dangerous data breach.
- Delete or destroy any PHI information after it is no longer needed.
- Have a secure backup solution for PHI in the case that medical data needs long-term storage or if computer systems with the original data experience a virus.
- Do not use personal devices to transport patient information and do not allow any PHI to leave the building unless administrators are sure that it is completely secured.
- Educate healthcare staff on proper security procedures and device handling.
- Only use hardware encrypted storage devices when transferring and storing PHI to protect it from unauthorized parties.
Personally Identifiable Information (PII) Data Handling Solution
Organizations of all sizes gather and transport Personally Identifiable Information (PII), inside database files, documents, marketing material, computer code and customer lists which if lost, compromised, or disclosed without authorization, could result in substantial harm, embarrassment, inconvenience, or unfairness to an individual, institution or a company.
What is PHII Personally Identifiable Information?
PII requires special handling because of the increased risk of harm to an individual, institution or a company if it is compromised. It is your responsibility to protect information that has been entrusted to you and your organization. An important part of this duty is to ensure that you properly collect, access, use, share, and dispose and secure PII in the office, while traveling or teleworking and on a portable electronic devices such as a tablets, smartphones, laptops, external hard drives or USB flash drives.
Defining a security policy which identifies the types of PII your organization collects, uses and shares will help minimize the chances of a costly data leak. PII can be information as routine as Name, Email, Address and Phone Number while some categories of PII are sensitive stand-alone data elements such as SSN, driver’s license or state identification number, passport number, or financial account number. Other data elements such as criminal record, medical information, ethnic, religious, sexual orientation, or lifestyle information, and account passwords, in conjunction with the identity of an individual (directly or indirectly inferred), are also Sensitive PII.
Implementing a robust security policy which minimizes or eliminates the proliferation of PII helps to keep your organization more secure and reduces the risk of a costly and embarrassing privacy incidents. Take the necessary steps to protect PII:
- Avoid creating unnecessary or duplicative collections of PII, such as duplicate, ancillary, “shadow,” or “under the radar” files.
- When printing, copying, or extracting PII from a larger dataset, limit the new data set to include only the specific data elements required.
- Delete or destroy any duplicate copies of PII as soon as they are no longer needed.
- Do not pack laptops or electronic storage devices in checked baggage or leave them in a vehicle for an extended period of time.
- Do not return failed data storage devices to vendors for warranty repair or replacement if the device was ever used to store PII. See the IT department for device sanitation.
- Educate the workforce to obtain authorization from their supervisors before removing any data (in either paper or electronic format) containing PII from the workplace unless correctly secured.
- Physically secure Sensitive PII when in transit. Do not mail or courier PII on CDs, DVDs, hard drives, USB flash drives, floppy disks, or other Removable media unless the data are encrypted.
CMMC Level 3 Data Handling Solution
Getting a CMMC Level 3 certification requires an audit to ensure your written policies and system architecture meet NIST and DFARS standards and are compliant with current government information security standards. Compliance fits within 17 domains.
Access Control (AC)
- Establish system access requirements
- Control internal and remote system access
- Limit data access to authorized users and processes
Access Management (AM)
- Identify and document assets
Media Protection (MP)
- Identify and mark media
- Protect and control media
- Sanitize media
- Protect media during transport
Physical Protection (PE)
- Limit physical access
- Manage back-ups
System and Information Integrity (SI)
- Identify and manage information system flaws
- Identify malicious content
- Perform network and system monitoring
- Implement advanced email protections
How Encrypted Drives Protect Sensitive Data
By replacing your unsecured external storage media with a SecureDrive product, you eliminate the risk of hackers, viruses, and unauthorized access and will instantly comply with HIPAA standards. The storage solutions are easy to implement into existing healthcare operations and any level of employee can learn to use it, though access settings remain in the hands of the administrators.
Even if the data needs to travel to another hospital or care provider, an institution will remain HIPAA Compliant when using the SecureDrives that boast Military-grade AES256-bit XTS encryption. The SecureDrive products are FIPS 140-2 Level 3 Validated and have features that follow the above steps for protecting PHI.
Their authentication through complex PIN or biometric indicators prevents unauthorized parties from accessing sensitive data, keeping medical professionals in control. The device’s OS Independent Design allows them to be plugged into any system for convenient use and easy implementation into existing healthcare operations.
Each device also has Pre-loaded Antivirus to protect files during transfer and prevents malware or other viruses from infecting a computer system and exposing PHI to hackers. Finally, the Brute Force Anti-Hacking and Remote Wipe abilities clear the device of information in the case it is lost or stolen.