IT administrators who work for companies that store private patient information must make systems HIPAA compliant. HIPAA compliance is one of the main security standards for the healthcare industry. The goal is to protect patient information and ensure that technology follows best practices to secure claims, billing, and patient records. Here are the four main areas of security your database and servers should follow.
Each of your databases and servers should have a list of users who have access to patient information. Before these people can access data, they must authenticate. This means they must have a username and password to access the system. User names should never be blank, and administrators should implement password rules such as complexity and length.
Authentication is controlled in several ways such as Active Directory or LDAP. AD and LDAP let you combine authentication for both applications and the enterprise network. This means that users who are logged into the network don’t need to re-enter a username and password to access the application. Whatever authentication method you use, always have auditing turned on and limit editing access.
Authorization is the list of users who have access to data. Authentication verifies that these people have access, but authorization assigns privileges to specific users. For instance, you might want customer service reps to have access to read patient information except for social security numbers. You create roles within your application and database that specify this access restriction. Most administrators create groups to help manage large amounts of users with different authorization rights.
When you store sensitive data, very few people should have access to certain data. HIPAA regulations require limitations on data such as social security numbers, credit card numbers, and patient and doctor communication.
Auditing can take much of your storage resources, so make sure you have plenty of storage space before you turn on auditing. Auditing logs successful or unsuccessful attempts when someone types in a username and password. This means that each time a user successfully or unsuccessfully attempts a login, an entry is made in your auditing logs. While this helps you watch who has accessed records, it fills up storage space quickly. It’s costly to implement, but auditing is a HIPAA requirement.
Auditing records also helps you identify cyber threats. Multiple failed login attempts should trigger an account lockout, so you can identify if your network or database is under a cyber-attack. It’s also useful when any litigation occurs and protects the company from data theft. Auditing records will help you understand who read and edit a user record.
Encryption is your main defense if the authorization and authentication steps fail. Auditing alerts you to an issue, but encryption gives you one more level of defense. All providers must encrypt several components of a patient’s private information. Social security numbers, passwords, and credit card numbers should always use encryption. In addition to encryption, only a few select employees should have the keys to decrypt data. In some rare cases, you’ll need to decrypt records but it’s a rare occurrence.
Many providers take the extra step in protecting records by creating dummy data for testing. This is important when you have developers who need production data to run quality assurance and testing scripts. For instance, you can decrypt social security numbers but then replace them with random numbers that aren’t true social security numbers for your patients. This protects patient data but allows developers to continue testing with “real” data.
These four HIPAA compliance regulations affect technology systems and might be costly for some businesses, but they are an important part of a company’s defense against hackers and unauthorized patient data theft.
Photo courtesy of Yuri Samoilov on Flickr