Maintaining HIPAA compliance is among the most challenging duties of a medical business. Whether you are a hospital, clinic, or a secondary business that serves the health industry, we know that patient records security is a topmost priority. Patient data must be protected in compliance with HIPAA regulations.
Sharing Patient Records Between Field Locations
Sharing patient records across field locations has created an additional challenge in terms of using technology to handle patient files. Medical businesses lag behind the times and technology adoption curve because we must be so careful in every piece of software and protocol used to handle personal health information (PHI). We’ve mastered hosting HIPAA-protected information on local servers protected by many layers of firewalls and permission protections. But what about handling patient information between field locations or with now-remote staff members?
This is a more complex task because it involves securing patient records in-transit across public internet channels, as well as controlling who accesses the information at device endpoints. Fortunately, the tools and methods are available if you have a security team who knows how to use them.
Local Network vs Remote Location File Sharing
The difference between local file-sharing and remote file-sharing is profound. With a local network, all the endpoints (computers, devices, and workstations) are connected. Often via wired cables. This keeps the data securely inside a physical network. A hacker or any prying eyes would first need to gain access to the facility’s network, which can be protected with limited ports and extreme protection at those ports. A local network is like living in a walled city with three layers of gates and an army of guards at every wall opening. No data gets in or out without permission.
Sharing with remote locations, to follow the metaphor, is more like protecting a caravan as it travels between walled cities. At the same time, you also need similar levels of protection at both your local and destination servers.
To safely share patient files with remote field locations and staff members, you will need layered best-practices to prevent any known possibilities of an en-route security breach.
Key Methods for Secure HIPAA File Sharing
There are two lessons to learn in terms of secure remote file sharing. The first is best practices. The second is avoiding known pitfalls. When you understand the best practices and the common pitfalls, the solutions define themselves and need only be capably implemented.
- End-to-End Software Encryption
- Create Secure Tunnels with Custom Ports
- Monitor and Track All Patient Records In Transport
- Restrict Access through a HIPAA Document Manager
- Allow Access to Only Pre-Approved Devices
- Audit Account Permissions Regularly
- Be Extremely Careful with Removable Storage Media
- Ensure Mutually Compliant Configuration in Each Location
1. End-to-End Software Encryption
Encryption is the leading form of defense for PHI documents. It is both the first and last line of defense. Encryption is a method of rendering files unreadable, even if they are accessed or stolen. An encrypted document, database, or entire server is run through an encoding program. Which garbles the content using a specific key. The key is (these days) randomly generated and there is no way that a hacker could guess or generate the same key.
The files are then unreadable – complete gibberish – until decrypted using the exact same key. Medical server encryption is now industry-standard. And is required by more than one regulating body. Encrypted apps for medical data are also high on the priority list. However, to truly secure patient records in-transit, it is necessary to ensure your documents are encrypted from end-to-end.
To do this, the initial device/server must encrypt the files. Then send them (encrypted) down a secure channel. Where they are received and then decrypted by a secure device in the field. The tricky part that many software-stacks struggle with is then sending secure information back. The remote device in use must re-encrypt files (or work with constantly encrypted files), and send encrypted files back to the main server. Outgoing patient records are secure, but incoming patient records are not secure unless this activity takes place.
2. Create Secure Tunnels with Custom Ports
A tunnel, in networking terms, is a private connection between two separate networks. Though the connection must take place through a public internet connection, the way the devices contact each other is not public. This method is also sometimes called port-forwarding. A tunnel limits the opportunities of an in-transit hacker to access your patient records when they are traveling between the home server and remote devices in the field.
A secure tunnel allows you to call a specific IP address and a specific port at that address. Often with login or key credentials to gain access. Because the transfer does not pass visibly through public internet space, and access is limited between two directly connected devices, hackers have a far lower opportunity of interjecting their code or spying on the bits in transit.
3. Advanced Network Monitoring
Network monitoring is essential to HIPAA-compliant security and is even more important when communicating with field locations and remote teams. Network monitoring keeps track of your data as it comes and goes. Properly configured, it can automatically track whether data movement is normal (through all the proper channels following the predictable daily workflow) or suspicious (not the proper channels, unusual time, unusual access point, etc).
When your network knows what is coming and going, hackers will have a far more difficult time slipping in unnoticed. exploiting your remote data infrastructure to make unauthorized calls for patient records will also be more difficult. Data monitoring will tell you if files are transferring safely and as-expected. Or if there are signs of tampering.
4. Use HIPAA-Safe Document Manager
A document manager is a program that hosts documents, and allows them to be accessed remotely. In short, it’s cloud document storage that can be accessed from anywhere. Document managers are taking center-stage in the business world. They are currently the most convenient way to securely share company documents between teams in local and field offices. However, for HIPAA compliance, a few additional steps must be taken.
First, you need a document manager that is capable of being HIPAA compliant – not all of them are. Then, your manager must be configured to be secure enough for HIPAA compliance. Finally, you need secure logins and strict control over the account access. To ensure that, while patient records are being hosted online, they are only accessible or viewable by a very limited list of HIPAA-approved individuals.
5. Allow Access to Only Pre-Approved Devices
Device control is another essential way to ensure your remotely shared patient records are only seen by the right people. Device-based access disallows anyone from logging into or requesting documents. Unless their MAC address (unique device ID) and/or IP address match what is expected. This is easy to do if you are setting up field locations with specific devices that belong to your medical business. Register your devices and ensure that any non-approved devices are disallowed access universally.
You can also add the personal work devices (laptops) belonging to team members who are currently working remotely.
6. Audit Permissions Regularly
Whether you are controlling a tunnel, login accounts, and/or device access – it is vital that only permitted individuals have access to patient files. However, this list changes over time. A patient’s attending physicians and medical team may change. They may even update their list of approved family members who may access medical records. This means that permissions for remotely shared patient records must also be audited and updated regularly. To ensure no legacy-permission security breaches occur.
Regular auditing is also an excellent way to ensure that no unauthorized permission changes (by hacker, fraud, or mistake) remain incorrect for long.
7. Take Care with Removable Storage Media
Removable media usually takes the form of a USB drive or possibly a portable harddrive. On one hand, removable media is extremely secure for patient record transfer. Because it does not travel across the open internet. On the other hand, it’s a slow transfer and these devices have a higher chance of being lost, stolen, or accidentally left somewhere accessible. In addition, removable storage is rarely secured properly by passwords or encryption.
So if you make use of removable storage, do so with great care. Use encryption and passwords and take measures to ensure these drives are never lost or misplaced. Use trackers, tethers, and sign-out protocols any time physical patient data travel in a removable device.
8. Mutually Compliant Device Security
Last but certainly not least, make certain that both devices in a transfer (sending and receiving) are mutually secure and HIPAA-compliant. By mutually, we do not just mean that both devices have been secured. We strongly suggest that both on-site servers and devices in field locations are secured using the same software stack, configuration, and encryption protocol. In order to achieve full end-to-end encryption and PHI file security, you need to be certain that both devices in the transfer are equally safe.
Most often, the remote device is the least secure and may not be properly configured to maintain HIPAA protections. Ensure that every field device matches the home server in security and the protocols used to maintain that security.
Safely Sharing Patient Records Between Field Locations
Medical care can’t be limited by location. There are hospitals, clinics, and field locations spread all over the country (in fact, all over the world) and patient records must be transferred safely to provide continuous care. Because file transfer is necessary, we are challenged with the task of securing that transfer with full protection of patient privacy along the way.
Contact us to consult on the correct IT infrastructure for secure data transfer with field locations and remote team members.