Data security, cyber security, cyber threats – all terms we have come to hear more and more in the news. It seems that a new data breach is reported weekly.
According to a 2016 study conducted by the Ponemon Institute, healthcare data is under siege. Almost 90 percent of the healthcare organizations surveyed had a data breach in the prior 2 years. Threats to data security are also increasing in sophistication and persistence. 45 percent of the surveyed healthcare organizations had more than 5 breaches in that time period.
The Senior Living industry is more than active communities for older adults. Due to the nature of personal information gathered on prospective residents during early interactions and the ongoing collection of information regarding the health of community residents, it is also a part our healthcare ecosystem. The senior living industry requires as much protection and scrutiny as any other environment handling healthcare information.
An important first step in data security is awareness. Many employees, while knowledgeable that HIPAA compliance is important, are not versed in the specific requirements of HIPAA and/or the definition of ePHI (electronic protected health information). ePHI is the combination of healthcare information with personally identifiable information. This can be as simple as storing whether a resident has a food or pet allergy in the community’s CRM (customer relationship management) software.
Should We Be Concerned? Are We Exposed?
Many larger organizations have well-staffed IT departments who can perform regular audits ensuring compliance and information security. Smaller organizations might outsource IT functions or subscribe to cloud-based applications to store data.
Regardless of size or whether IT requirements are handled internally or outsourced, organizations are still liable for the security of the information, even if the data is stored in a third-party system or application.
To ensure HIPAA compliance when using external resources, organizations must have a Business Associate Agreement (BAA) in place with each vendor storing their ePHI. A BAA is a contractual agreement between the organization and the vendor outlining their information security practices, policies, and HIPAA compliance. This is a key point for smaller organizations with much of their IT functions outsourced.
Regardless of size, every organization should consider a third-party risk assessment to determine the strength of their information security systems, policies and practices. This is a relatively inexpensive, but valuable step in ensuring the security of your data.
Does HIPAA Apply to our CRM or Other Software?
The answer is, it depends on the information you store there. The moment you log information about a resident’s or prospective resident’s health events, conditions, medications, or suspicions of undiagnosed conditions such as early onset memory loss, you are subject to the rules of HIPPA compliancy.
Keep in mind the nature of systems organizations use over time. Rarely does the information stored stay the same year after year.
As the industry continues to move towards a “continuum of care” model, information security needs are driven upstream, even into the Sales and Marketing departments and the systems they use. The bottom line is any system you use to store resident information should be secured properly.
Should We Avoid Using Anything in the Cloud?
There are many senior living communities using cloud-based applications to run their operations. There is nothing inherently unsafe about operating in the cloud today, but organizations must be diligent regarding acquiring BAAs from their vendors whether hosted in the cloud or in a traditional datacenter.
What Can We Do?
Data security is everyone’s responsibility. It’s not something to be left up to the IT department or outside vendors.
Data security starts with employee awareness. Organizations must:
- Ensure all employees are educated on the definition of ePHI
- Provide training on best practices when handling all resident data, especially ePHI
- Conduct annual “official” training to keep awareness at proper elevation
In addition to employee awareness, it’s important to periodically review the data your collecting and storing. Questions to ask include:
- What is the data – is there any ePHI?
- Is it possible that this data might be exported, sent via email, etc.?
- Who has access to this application and ePHI data?
- Where is the data? On premises or remote?
- Is a BAA needed?
If you use or are thinking about using outsourced IT services or cloud-based applications, consider the following when evaluating vendors:
- Do they conduct 3rd party risk assessments/audits?
- Are they HIPAA compliant?
- Do they have a breach response policy in place? (this ensures you know if any of your data has been compromised)
Information security is vital to the senior living industry, but it’s also complex. Hiring a third party risk assessment firm helps to identify potential threats or issues and design a strategy for eliminating them. Risk assessment firms can:
- Conduct external penetration testing of applications (those managed by you and outside vendors)
- Conduct a policy framework audit
- Perform a physical premises audit
- Help classify applications and data to determine whether information stored is ePHI
Ensuring Information Security in Your Organization
Almost all security is dependent upon humans at some point in the process. From sales and marketing to IT staff, education and awareness are crucial to maintaining a secure environment. It is important that you review your own security policies and practices regularly, but risk assessment by third-party company specializing in healthcare is valuable in ensuring proper policies and information security best practices.
If you’re looking for a secure, robust tool to manage your Senior Living sales and marketing efforts, Continuum CRM can help. Sign up for a demo today.