Kusserow on Compliance: Tips on information security from the FTC

The health care sector is so focused on Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security related issues under the watchful eyes of CMS and the Office of Civil Rights (OCR) that it often forgotten that there are a host of other laws and regulations related to data security. The Federal Trade Commission (FTC) released “Start with Security: A Guide for Business,” a report concerning data security that has application to all business sectors, including health care. The FTC noted that the report draws upon “lessons learned from more than 50 law enforcement actions.” The guide provides a treasure trove of tips and best practices for protecting sensitive information and associated risks.

The FTC begins with the recognition that sensitive information and data, including personnel information, customers/patients records and credit information, pervades every part of business and every part of any business is impacted by sensitive information. In turn, it is a challenge for businesses to manage confidential information. Betta Sherman, a health care consultant specializing in HIPAA Privacy and Security issues, notes “although this report applies to all business sectors, it is particularly relevant to the health care sector, which has the responsibility to safeguard protected health information (PHI).”

The report states that the starting point is establishing security policy and procedures. It is also important to think through about the kind of information you collect, how long you keep it, and who can access it. If so, risk of a data compromise down the road can be reduced. Dr. Cornelia Dorfschmid, a recognized compliance expert states that “security postures and threats change all the time. For health care organizations it is critical to test their own information security knowledge as well as current security architecture by occasionally engaging independent experts to conduct security risk assessments. Formal security assessments are expected under the HIPAA Security Rule and also required for compliance with meaningful use criteria. Not conducting such risk assessments regularly is foolish.”

Tips and best practices highlighted by the FTC

  • Avoid data security risks by only collecting needed sensitive information.
  • Hold on to information only as long as there is a legitimate business need for it.
  • Periodically review data and decide what needs to be kept and what is no longer necessary.
  • The longer the information is kept, the greater the risk that it may be misused or leaked.
  • Restrict access to sensitive data to only those that have a “need to know.”
  • Limit those with system-wide administrative access to data.
  • Establish strong authentication procedures, including passwords.
  • Require complex and unique passwords.
  • Store passwords securely to prevent unauthorized persons from obtaining access.
  • Guard against hackers by limiting the number of unsuccessful login attempts.
  • Periodically test for common vulnerabilities and security flaws.
  • Use strong cryptography to secure maintenance and transmission of sensitive data.
  • Keep sensitive information secure throughout its lifecycle.
  • Once information is transmitted and decrypted, it still must be protected.
  • Use industry-tested and accepted methods to safeguard and encrypt information.
  • Encryption must be configured and controlled properly to protect sensitive information.
  • Set up and monitor firewalls to limit access between computers on the network and the Internet.
  • Establish intrusion detection and prevention systems (IDS/IPS) for unwanted activity.
  • Install require antivirus and antispyware programs for remote users using the network.
  • Place limits on third-party access to the network.
  • Ensure design changes and changes in management decisions do not permit vulnerabilities.
  • Use readily available secure communications tools pre-installed on mobile devices.
  • If software offers a privacy or security feature, verify that it works as advertised.
  • Test for vulnerabilities in systems as many commonly-known, reasonably foreseeable ways as possible.
  • Take care to select service providers able to implement appropriate security measures.
  • Require service providers to adopt reasonable security precautions.
  •  Verify that the information collection program is consistent with privacy and security policies.
  • When using third-party software, apply security updates as they are issued.
  • Update and patch third-party software regularly to minimize security risks.
  • Have an effective process in place to receive and address security vulnerability reports.
  • Monitor usage and encryption of hard drives, laptops, flash drives, and disks.
  • Implement policies for secure document and data storage and retrieval.
  • Dispose of documents in a secure manner.
  • Protect devices that process personal information.
  • Secure sensitive information when it is outside the office.
  • Acknowledge that lost or stolen laptops, external drives, and mobile devices are a major cause of lost data.
  • Ensure files, drives, disks, etc. sent via ground mail or services are tracked and delivered.
  • Limit instances when employees need to carry sensitive data.
  • When traveling, confidential information should be kept out of sight.
  • Devices with confidential information should be under lock and key when out of sight.
  • No longer needed paperwork should be shredded, burned, or pulverized to be unreadable.
  • Old hard drives and media with sensitive information should be professionally wiped clean.
  • Have periodic independent risk assessments to keep data, reputation, and business information safe.

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on Google+ or LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2015 Strategic Management Services, LLC. Published with permission.