To support the surge of test results and medical records being transmitted during COVID-19, hospitals, laboratories, and pharmacies implemented additional devices and remote connections into their networks. After the Office for Civil Rights (OCR) lifted penalties around telehealth to expand care options amid the crisis, new platforms were adopted that were not previously allowed by the Health Insurance Portability and Accountability Act (HIPAA). This exercise of discretion applied to applications including FaceTime and Skype, regardless of whether the telehealth service administered while using the apps was directly related to the coronavirus.
Unfortunately, this also increased security risks across thousands of healthcare organizations. Since many communications apps are not HIPAA compliant, the risk of a data breach occurring that compromises personally identifiable information (PII) is imminent. For example, although Apple is a HIPAA business associate, it is not willing to sign a BAA, and therefore, Apple services (i.e., FaceTime) are not HIPAA compliant.
Fueling Healthcare Innovation
In 2020, adopting new technology to ensure the health and safety of patients shouldn’t adversely affect security and privacy. Today, digital and direct fax solutions can securely integrate with mobile applications and third-party messaging platforms such as Slack, Teams, and Microsoft Fax while maintaining HIPAA, SOC 2, and PCI DSS compliance.
To ensure that protected health information (PHI) remains secure at all times, organizations should utilize a hybrid-cloud fax network that leverages defense-in-depth strategies including end-to-end encryption and two-factor authentication. Unlike traditional PTSN-based networks, digital fax technology delivers time-sensitive documents fast, and with high-resolution, near-diagnostic image quality.
The following are the most important security features to look for when adopting new technology during the pandemic and beyond.
Direct Digital Fax
Many patients and organizations are unaware that a data exchange via email or text message will typically pass through multiple servers before it reaches the final point of delivery. This indirect transmission method can leave PHI and other unstructured data vulnerable to imminent threats of cyberattacks.
Utilizing a hybrid-cloud network with direct digital faxing is the key to ensuring communications never traverse an external telephone network and that data is protected against unauthorized access. Black and white lists can also be leveraged to place further restrictions on the exchange of sensitive information. This allows patients to receive high-quality care at home or in person without compromising their personal information.
HITRUST CSF Certification
The HITRUST CSF certification has become the gold standard for compliance framework in the healthcare industry as it addresses the requirements of existing standards and regulations including HIPAA, PCI, COBIT, NIST, ISO, FTC, and state laws. While the HITRUST CSF can be used by all organizations that create, access, store, or exchange sensitive and/or regulated data, it is ideal for healthcare organizations because of its prescriptive framework for managing the security requirements inherent in the Health Insurance Portability and Accountability Act.
HITRUST offers providers a trusted benchmark from which they can measure and manage their own compliance, while offering proven protection to their patients and partners. For guaranteed security, healthcare organizations should look for a fax provider that is HITRUST CSF certified in addition to SOC 2 and PCI DSS compliant.
Implementing a secure exchange network that leverages well-defined end-to-end encryption methods, such as those defined in the Elliptic Curve Integrated Encryption Scheme (ECIES), is crucial to fully protect the transfer of information between two endpoints. This hybrid encryption scheme uses Elliptic Curve Cryptography to generate a shared secret between peers to seed the encryption process with unique keying material while signing and authentication mechanisms assure the validity of the data in transit. Even if a third-party attempted to eavesdrop on the network communication, the information itself would be indecipherable thanks to end-to-end encryption.
Two-factor authentication (2FA) should also be utilized on every device that sends and receives PHI. Two-factor authentication can prevent data breaches on applications and platforms by requesting a combination of credentials at access points that only the actual patient, doctor, billing operator, or pharmacist would know.
Overall, a lack of network security can have an adverse effect on patient care. To secure healthcare technology during the pandemic and beyond, organizations must extend legacy devices, remote connections, and telehealth services to a secure exchange network via the cloud. Hybrid-cloud fax technology can provide end-to-end encryption, two-factor authentication, and direct transmissions to protect the integrity of PHI while ensuring that business-critical communications are sent with ultra-fast transmission speeds.