Maintaining HIPAA compliance is among the most important considerations of a medical business. Whether you are a hospital, clinic, or a secondary business that serves the health industry, we know that patient records security is a top priority. Patient data must be protected in compliance with HIPAA regulations. For a small medical operation with a single location, this is relatively straightforward, but the complexity grows and the challenge of maintaining secure patient records grows as new field offices are added. In this post, we’ll break down some of the technology considerations for medical offices to maintain HIPAA compliance across multiple medical office locations.
Sharing Patient Records Between Field Locations
Sharing patient records across field locations has created an additional challenge in terms of using technology to handle patient files. Medical businesses lag behind the times and technology adoption curve because we must be so careful in every piece of software and protocol used to handle personal health information (PHI). We’ve mastered hosting HIPAA-protected information on local servers protected by many layers of firewalls and permission protections. But what about handling patient information between field locations or with now remote staff members?
This is a more complex task because it involves securing patient records in transit across public internet channels, as well as controlling who accesses the information at device endpoints. Fortunately, the tools and methods are available if you have a security team who knows how to use them. If you don’t, then outsourcing to an MSP to perform a risk assessment is a great option.
Local Network vs Remote Location File Sharing
The difference between local file-sharing and remote file-sharing is profound. With a local network, all the endpoints (computers, devices, and workstations) are connected. Often via wired cables. This keeps the data securely inside a physical network. A hacker or any prying eyes would first need to gain access to the facility’s network, which can be protected with limited ports and extreme protection at those ports. A local network is like living in a walled city with three layers of gates and an army of guards at every wall opening. No data gets in or out without permission. Local networks are relatively easy to detect an intrusion. A broken window or a security alarm going off signals a potential breach.
Sharing with remote locations, to follow the metaphor, is more like protecting a caravan as it travels between walled cities. At the same time, you also need similar levels of protection at both your local and destination servers.
To safely share patient files with remote field locations and staff members, you will need layered best practices to prevent any known possibilities of an en-route security breach.
Key Methods for Secure HIPAA File Sharing
HIPAA guidelines specify that all covered entities and business associates must maintain reasonable and appropriate measures to ensure the confidentiality, integrity, and availability of all electronic personal health information they create, receive, maintain, or transmit. Transmitting ePHI (electronic personal health information) between field locations across the public internet is different than transmitting around a local intranet. You need to add in some additional safeguards to keep the data secure such as:
- End-to-End Software Encryption
- Create Secure Tunnels with Custom Ports
- Monitor and Track All Patient Records In Transport
- Restrict Access through a HIPAA Document Manager
- Allow Access to Only Pre-Approved Devices
- Audit Account Permissions Regularly
- Be Extremely Careful with Removable Storage Media
- Ensure Mutually Compliant Configuration in Each Location
1. End-to-End Software Encryption
Encryption is the leading form of defense for PHI documents. It is both the first and last line of defense. Encryption is a method of rendering files unreadable, even if they are accessed or stolen. An encrypted document, database, or entire server is run through an encoding program, which garbles the content using a specific key. The key is (these days) randomly generated and there is no way that a hacker could guess or generate the same key.
The files are then unreadable – complete gibberish – until decrypted using the exact same key. Medical server encryption is now industry-standard. And is required by more than one regulating body. Encrypted apps for medical data are also high on the priority list. However, to truly secure patient records in transit, it is necessary to ensure your documents are encrypted from end to end.
To do this, the initial device/server must encrypt the files. Then send them (encrypted) down a secure channel. Where they are received and then decrypted by a secure device in the field. The tricky part that many software stacks struggle with is then sending secure information back. The remote device in use must re-encrypt files (or work with constantly encrypted files), and send encrypted files back to the main server. Outgoing patient records are secure, but incoming patient records are not secure unless this activity takes place.
2. Create Secure Tunnels with Custom Ports
A tunnel, in networking terms, is a private connection between two separate networks. Though the connection must take place through a public internet connection, the way the devices contact each other is not public. This method is also sometimes called port-forwarding. A tunnel limits the opportunities of an in-transit hacker to access your patient records when they are traveling between the home server and remote devices in the field.
A secure tunnel allows you to call a specific IP address and a specific port at that address. Often with login or key credentials to gain access. Because the transfer does not pass visibly through public internet space, and access is limited between two directly connected devices, hackers have a far lower opportunity of interjecting their code or spying on the bits in transit.
3. Advanced Network Monitoring
Ensuring the integrity of data is a key component of HIPAA compliance. It’s not enough to put security measures in place and assume that they will work as expected. You have to monitor for breaches and suspicious network activity.
Network monitoring is essential to HIPAA-compliant security and is even more important when communicating with field locations and remote teams. Network monitoring keeps track of your data as it comes and goes. Properly configured, it can automatically track whether data movement is normal (through all the proper channels following the predictable daily workflow) or suspicious (not the proper channels, unusual time, unusual access point, etc).
When your network knows what is coming and going, hackers will have a far more difficult time slipping in unnoticed. exploiting your remote data infrastructure to make unauthorized calls for patient records will also be more difficult. Data monitoring will tell you if files are transferring safely and as expected, and if there are signs of tampering.
4. Use HIPAA-Safe Document Manager
A document manager is a program that hosts documents and allows them to be accessed remotely. In short, it’s cloud document storage that can be accessed from anywhere. Document managers are taking center stage in the business world. They are currently the most convenient way to securely share company documents between teams in local and field offices. However, for HIPAA compliance, a few additional steps must be taken.
First, you need a document manager that is capable of being HIPAA compliant – not all of them are. Then, your manager must be configured to be secure enough for HIPAA compliance. Finally, you need secure logins and strict control over account access. To ensure that, while patient records are being hosted online, they are only accessible or viewable by a very limited list of HIPAA-approved individuals.
5. Allow Access to Only Pre-Approved Devices
Device control is another essential way to ensure your remotely shared patient records are only seen by the right people. Device-based access disallows anyone from logging into or requesting documents. Unless their MAC address (unique device ID) and/or IP address match what is expected. This is easy to do if you are setting up field locations with specific devices that belong to your medical business. Register your devices and ensure that any non-approved devices are disallowed access universally.
You can also add personal work devices (laptops) belonging to team members who are currently working remotely.
6. Audit Permissions Regularly
Whether you are controlling a tunnel, login accounts, and/or device access – it is vital that only permitted individuals have access to patient files. However, this list changes over time, and the level of access a permitted individual has may change over time. A patient’s attending physicians and medical team may change. They may even update their list of approved family members who may access medical records. This means that permissions for remotely shared patient records must also be audited and updated regularly. To ensure no legacy-permission security breaches occur.
Regular auditing is also an excellent way to ensure that no unauthorized permission changes (by hackers, fraud, or mistakes) remain incorrect for long.
7. Take Care with Removable Storage Media
Removable media usually takes the form of a USB drive or possibly a portable hard drive. On one hand, removable media is extremely secure for patient record transfer. Because it does not travel across the open internet. On the other hand, it’s a slow transfer and these devices have a higher chance of being lost, stolen, or accidentally left somewhere accessible. In addition, removable storage is rarely secured properly by passwords or encryption.
So if you make use of removable storage, do so with great care. Use encryption and passwords and take measures to ensure these drives are never lost or misplaced. Use trackers, tethers, and sign-out protocols any time physical patient data travel in a removable device.
8. Mutually Compliant Device Security
Last but certainly not least, make certain that both devices in a transfer (sending and receiving) are mutually secure and HIPAA-compliant. By mutually, we do not just mean that both devices have been secured. We strongly suggest that both on-site servers and devices in field locations are secured using the same software stack, configuration, and encryption protocol. In order to achieve full end-to-end encryption and PHI file security, you need to be certain that both devices in the transfer are equally safe.
Most often, the remote device is the least secure and may not be properly configured to maintain HIPAA protections. Ensure that every field device matches the home server in security and the protocols used to maintain that security.
Safely Sharing Patient Records Between Field Locations
Medical care can’t be limited by location. There are hospitals, clinics, and field locations spread all over the country (in fact, all over the world) and patient records must be transferred safely to provide continuous care. Because file transfer is necessary, we are challenged with the task of securing that transfer with full protection of patient privacy along the way.
NetTech Consultants have deep experience supporting Jacksonville hospitals, such as Baptist medical, and medical offices with employee counts ranging from 10 to 100s of users. NetTech can help put the policies, procedures, and access controls in place to secure your medical office, get HIPAA compliant, and ensure smooth operations.
Contact us to consult on the correct IT infrastructure for secure data transfer with field locations and remote team members.