Every October, the U.S. federal government celebrates National Cybersecurity Awareness Month. For those who are part of the “regulated community,” it’s a great time to take a closer look at what you can do to further strengthen the cybersecurity of your electronic protected health information (e-PHI). Ensuring the confidentiality, integrity, and availability of e-PHI is our responsibility, but it’s not always easy. Here’s a snapshot of the latest cybersecurity tips from the HHS Office for Civil Rights.

Have a strong password

Some tips:

  • Use 10 characters or more
  • Include uppercase and lowercase letters, numbers, and special characters, such as #$&*)
  • Consider using “passphrases”
  • Avoid easy-to-guess passwords, such as your birthdate

Train your staff

Make sure your staff understands:

  • How to spot phishing emails
  • When/who to report possible cyber incidents to in your business

For more on phishing, read an earlier blog post here.

Use multi-factor authentication

For adequate protection, go beyond a username and password.  Multi-factor authentication typically includes a password and additional security measures, such as a thumbprint or key card.

Update and patch your system

Updates and patches often fix critical security vulnerabilities, so take care of each on systems and applications regularly.

Lock devices–and be cautious of portable devices

Limit physical access to devices and lock devices when not in use. Be cautious plugging a phone, USB, or other portable device into a secure computer or network. If the device is needed, be sure to follow your organization’s policies on the use of such devices.

Cyber security, e-PHI, and you

  • Be aware. Be aware of your responsibilities as a covered entity or business associate under HIPAA. Need a refresher? See 45 C.F.R. Parts 160 and 164.
  • Have a plan. Have security incident procedures and response plans in place, as well as contingency plans to ensure effective, concentrated, and coordinated means to respond to and recover from security incidents.
  • Act swiftly. Once a security incident is detected, immediately take steps to:
    • Analyze the incident
    • Eradicate the incident
    • Remediate vulnerabilities
    • Recover from the incident
    • Conduct post-incident activities (for example, mitigate any impermissible disclosure of protected health information)
  • Sound the alarm. Report possible cybersecurity threats to the right people in your organization immediately. Time is often critical during a cyber-incident, so if you suspect a cyber-threat, report it right away.
    • Breaches of e-PHI affecting more than 500 individuals must be reported to the HHS Office for Civil Rights (OCR), affected individuals, and the media as soon as possible, but no later than 60 days after the discovery of the breach.
    • Breaches affecting fewer than 500 individuals must be reported to the affected individuals as soon as possible, but no later than 60 days after the discovery of the breach, and to OCR no later than 60 days following the calendar year the breach was discovered.

Need more information?