Attending physicians, nursing staff or administrators may have ePHI on their laptops, smart phones, tablets or USB thumb drives. Mobile devices though convenient are easy targets for thieves and the most common way to lose data. Protecting data on these devices is key to preventing a data breach at your facility.
2. Lack of appropriate authentication/audit software and controls to secure access to ePHI
Do you monitor and audit personnel access to patient data? What technology, policies and procedures does your facility have in place to limit ePHI access to authorized staff only?
3. Unsecure medical devices connected to the network
All devices connected to facility network including medical devices and printers can be remotely accessed by hackers Patient data can potentially be at risk if these devices are not secured appropriately.
4. Hard drives on photocopiers
Many organizations lease photocopiers. Remember that these machines have hard drives that may contain patient data. This data needs to be destroyed before the machine is returned to the leasing company.
5. Software updates or system maintenance
Software upgrades and system maintenance can potentially leave ePHI unsecured. Make sure that the service company understands data security and HIPAA compliance and ensures you that the data is secured after an upgrade or routine system maintenance.
6. Stolen passwords or weak passwords that are easy to hack
Train employees to use strong passwords for their access credentials and not to share this information with anyone.
7. Use of unsecure file sharing software/services
Prohibit use of file sharing services without prior authorization from the information security officer. Free cloud based file sharing services are meant for consumer use. They are not secure /compliant for storing or sharing ePHI.
8. Use of unsecure email or text messaging services
The argument in #7 applies to the use of free email and text messaging services. Do not allow employees to email ePHI using these solutions. There are a number of secure-HIPAA compliant email/messaging services available on the market that your organization can use.
9. Viruses or malware in the computer system
Ensure that your computers are patched with anti-virus and security patches on a regular basis. Implement a strict computer usage policy that clearly states appropriate as well as unacceptable computer usage.
10. Unintentional employee action or error
Unfortunately despite all precautions, humans do make mistakes. The only way you can minimize this risk is through regular data security training for all personnel.