Page 27 - Part 1 Navigating Electronic Media in a Healthcare Setting
P. 27
SVMIC Navigating Electronic Media in a Healthcare Setting
touching ePHI. HHS offers a security risk assessment tool to assist
in this regard, and it can be found on www.HealthIT.gov.
As hackers find new ways to exploit networks and mobile devices
to steal data, healthcare organizations must work at maintaining
and improving security defenses. They must address new
vulnerabilities that are inadvertently introduced, or develop over
time as equipment and software ages. Risk assessments must
therefore be conducted regularly.
In the HHS’ HIPAA Security Guidelines, covered entities are
informed that they “must consider the use of encryption for
transmitting ePHI, particularly over the internet”. HIPAA-covered
entities must also “implement technical security measures to guard
against unauthorized access to electronic protected health
information that is being transmitted over an electronic
communications network.”
It is not mandatory to encrypt data at rest; however, covered
entities should bear in mind the advice given in the HHS Security
guidelines regarding data in motion, “as business practices and
technology change, situations may arise where ePHI being
transmitted from a covered entity would be at significant risk of
being accessed by unauthorized entities.” The Guidelines go on to
say, “Where risk analysis shows such risk to be significant, a
covered entity must encrypt those transmissions under the
addressable implementation specification for encryption.”
HIPAA requires covered entities “to implement technical policies
and procedures that allow only authorized persons to access
Protected Health Information.” If mobile devices are used to
access, store or transmit ePHI, they must have access controls in
place to authenticate the user. Multi-layered security controls
Page | 27
