We see a wide range of HIPAA use cases, both inside and outside of the healthcare industry. Sometimes, it’s a Compliance Officer worried about healthcare data security between doctors and patients, or an IT manager looking for a safer way for the office manager to send referrals. Other times, it’s an Operations Officer looking for a way Human Resources can securely share and store Personally Identifiable Information (PII). But it only takes one question to see most of them face a bigger problem — a problem they share with other organizations: “How are you doing it now?”
Many prospective clients are doing the same two things: sending a HIPAA policy to employees, and providing some tools that those employees are supposed to use.
Some larger organizations invest heavily in encryption portals, secure servers and other security infrastructure, but at the end of the day, they have many of the same healthcare information security problems small offices are facing. Despite all of that infrastructure, sending out something as basic as a referral can still be a challenge. So what’s going on? The challenges IT leaders are facing, go way beyond any one use case.
4 Questions Every Healthcare Data Security Leader Faces
1. What Kinds of Sensitive Data Are Our Staff Members Handling?
Implementing one high-priority healthcare data security use case is a great way to make a meaningful decrease in risk, and lay a foundation you can build on. For example, if you want to make sure HR is HIPAA compliant, you might provide key team members with encryption, and train them to use it when they email medical records to outside parties like insurers. Simple right? — However, HIPAA and email rules are actually a lot broader than that.
Anything that identifies someone — be it name, address, or phone number — falls under HIPAA if it’s used in a medical context. That includes an HR professional informing a manager that a worker is out for surgery, or emailing an employee for an update on medical history. It also includes a lot of communications to other HR department members. Whether these emails are sent internally to other team members, or externally to insurers/providers, to be compliant — they must be encrypted.
In many scenarios, use cases like this can end up involving a lot more data, and more users than initially anticipated. The whole HR department (and the managers they communicate with), must be trained to encrypt a much wider range of communications.
2. How do We Secure Healthcare Data?
The good news is that it’s not much tougher to implement an information data security program for three dozen users than it is for three — provided you choose an approach that can meet everyone’s needs. Unfortunately, a portal system probably isn’t going to cut it here — expecting managers to switch to a different interface any time a conversation touches on worker’s health isn’t practical. It’s a waste of the manager’s time, and besides, you really don’t want to have to train them in every nuance of HIPAA.
You’ll probably need a secure email provider to fit into your manager’s email-based workflow, and let managers err on the side of caution by encrypting anything that might be HIPAA data. Not only will this meet current needs, but it will also help you scale up to address healthcare information security use cases and other tasks that require encryption in the future.
Virtru email encryption is an ideal solution. Virtru allows HR professionals, managers, medical professionals, and anyone else with an email account to encrypt messages and attachments with a single click. It works with your existing account, with no need for a secondary login. And unlike other providers, Virtru allows recipients to open and securely reply to messages without installing anything. That means if your team has to communicate with a new hire who hasn’t been trained in healthcare data security yet, they can still do so.
3. How Do We Force Workers to Protect Healthcare Data Security?
The convenience of one-click email encryption boosts adoption, and avoids the pushback that comes with complex, inconvenient healthcare information security tools. However, it doesn’t prevent mistakes. Your workers have a lot on their minds, and years of routine emailing behind them — they’re used to just composing a message and hitting send. Without a way to enforce the rules, an accidental healthcare data security incident is almost inevitable.
However, most organizations lack the controls to enforce HIPAA, or even the visibility to spot a worker breaking the rules. All they can do is send out HIPAA policies, provide training and tools, and hope for the best. Often, the first they hear of any sort of problem is when there’s a breach or a complaint, and by then, it’s too late.
Virtru Data Loss Prevention makes it easy to enforce encryption and other healthcare information security rules. Customizable rules allow you to scan email for healthcare keywords, social security numbers and medical codes, email addresses, attachments, and other signs that a message may contain sensitive data.
The application can apply encryption automatically, or take other actions like warning users, BCC’ing an admin, and stripping attachments, preventing absent-minded workers from breaking compliance. Admins can track when workers break healthcare security rules, and provide further training or remediation as necessary. See how simple it can be to implement these rules in this short demonstration:
4. What Can We Do Once the Data Has Already Been Sent?
This is the question that keeps IT leaders up at night. We’ve all made a few email mistakes, such as typing the wrong address or hitting “Reply All” by mistake, but usually the consequences aren’t any worse than mild embarrassment. But if an HR pro hits “Reply All,” they could tell the whole office about a worker’s illness, instead of their manager. If a doctor’s office manager types the wrong address, the might send medical tests to the wrong patient. That one moment of inattention could result in costly HIPAA privacy violations, stressful audits, and onerous remediation plans.
Virtru is the only email encryption tool that lets you undo the mistake — even if your recipient has already opened it. Provided you encrypt it, you can recall an email with a single click, preventing your recipient (and anyone they’ve shared it with) from reading or forwarding it in the future.
This combines with Virtru read receipt for an even more powerful remediation tool. Rescind before the message is read, and read receipts will prove there’s been no HIPAA breach. Even if the message has been read, read receipt helps you remediate by identifying exactly who has read the message, and who hasn’t.
What Are Your Healthcare Information Security Challenges?
HIPAA compliance programs are complex and organization-specific, but all organizations face the same basic compliance needs. By making encryption easy, secure, convenient and scalable, Virtru helps IT and security leaders stop stressing over low adoption rates and poor visibility, and start enforcing consistent compliance.
Interested in learning more about how Virtru can work with your organization? Request a demo with a team member today.
Read what Forrester Research Senior Analyst Security and Risk, Heidi Shey had to say about The Most Critical Data Security Challenge IT Leaders Face in our five-part blog series.