When major health crises descend, it's vital for the healthcare industry to share information quickly and responsibly.
The importance of and need for data sharing extends beyond researchers to also include local hospitals, physicians, and even school systems. In situations like this, where personal health information (PHI) could very likely need to be disclosed and data sharing is presumably on the rise, bear in mind the considerations for meeting HIPAA compliance requirements.
The Health Insurance Portability and Accountability Act (HIPAA) places a number of requirements on HIPAA-covered organizations to safeguard PHI and the security rule governs how organizations protect their data, with three main sections: physical safeguards, technical safeguards, and administrative safeguards. So even if this outbreak doesn’t impact your organization’s need for sharing data, now is as good a time as any to closely examine PHI protection within your organization.
When it comes to data sharing, technical safeguards are perhaps the best place to start. These tips go beyond strong passwords, backing up data, and keeping software up to date. In a world where data sharing is happening around the clock, security needs to be kicked up a notch in order to give you control over your data, and it starts with ensuring a secure communication workflow.
1. Secure your inbox.
Patients, doctors, researchers, and state and federal agencies all need to communicate with each other, and the majority of organizations rely on email to do so. Most email providers have adopted Transport Layer Security (TLS) as the standard to encrypt emails in transit. It provides an encrypted pipe through which your emails can travel. But, it has it’s limitations and the best way to secure your data is with data-centric protection.
2. Use multi-factor authentication (MFA) and single sign-on (SSO).
IT teams can take the security of SSO one step further with MFA. This requires users to present more than one factor of authentication to ensure the sign-on attempt is coming from the valid account owner, not an imposter.
3. Implement access control.
Not only should each user who touches PHI have their own login credentials for accessing sensitive data, but when sharing PHI externally, advanced access controls—such as message revocation and expiration, disabled forwarding, and watermarking—ensure that no third-party ever has unauthorized access to PHI sent via email.
4. Encrypt everything sensitive.
End-to-end encryption is at the heart of data-centric security strategies. End-to-end encryption wraps every piece of data in a layer of protection at all times, not just in transit and at rest; it also ensures that only the sender and recipient can view the contents of an email. This protection stays with your data no matter where it goes, even after it leaves the email platform.
Data is a powerful tool but it can also be hard to manage. In this challenging time, we stand by our commitment to empower organizations to unlock the power of data by helping create a world where it is always under your control. Our flexible, easy to use and trusted privacy technologies govern access to PHI throughout its full lifecycle—from creation through sharing, storage, analysis, and action.
To learn how Virtru can help with your HIPAA-compliant data sharing needs, get in touch with us today.
