From the August 2015 issue of HealthCare Business News magazine
A Belt and Suspenders Approach to Securing PHI
When handling PHI, we suggest a belt and suspenders approach to eliminating risk. First and foremost, you need to be able to collaborate on content with PHI, but you need to do so securely. Following are six steps that can be taken to ensure organizations maintain a proactive, layered and preventive risk approach.
Automated, constant information scans against policy checkpoints, and corporate policies and documents, enable organizations to assess the levels of sensitive information present and identify compliance issues. It’s also important to look at both data at rest and in motion to capture any problems in real time.
2. Reporting –
With standard and customized reports, compliance and privacy officers gain real-time insight into the status of an operating environment, can identify teams/departments where issues are recurring, and measure progress against compliance objectives over time. Reporting also calls red flags to attention, empowering developers and QA teams with the agility to target and fix issues.
3. Classifying –
Identify sensitive content, at rest or in motion, and dynamically classify the content to identify it as having a certain level of risk.
4. Restricting –
Established business rules should determine the classification of a document, as well as access to it by an individual and/or group, even if a wider audience has access to its physical location. Instituting file level permissions allows administrators to better handle multiple users. Managing file permissions is easier if they are based on the metadata values added at the time of classification.
5. Encrypting –
In addition to securing a document based on its classification, further secure highly sensitive content such as PHI by encrypting it, ensuring that only approved audiences inside or outside of the use environment can access it. In fact, the U.S. Department of Health and Human Services (HHS) dictates as part of the HIPAA Security rule that encryption must be used to protect data at rest and in motion.
6. Tracking –
The entire life cycle of every document should be tracked, so a compliance or regulatory officer can see if and when a document has been read, emailed or printed, and by whom. Recording every stop on the document’s journey is critical in the event of a breach or regulatory audit.
About the author: Kurt Mueffelmann is the president and CEO of Cryptzone. He has 20+ years of experience in the software industry, and has led HiSoftware (acquiredby Cryptzone in September 2014) to steady growth since 2006 with a portfolio of industry- recognized, award-winning products.