File-Sharing And HIPAA – How You Can Keep Health Data Secure in an Era of Collaboration
By Tim Mullahy
Tim Mullahy is executive vice-president and managing director at Liberty Center One of Royal Oak, MI.
Collaboration is at the heart of modern workflows, and file sharing is at the core of collaboration. That’s as true in the health industry as it is anywhere else. The difference with healthcare, of course, is that the risks of doing file sharing improperly — of distributing files without due attention to security — are higher.
File-sharing and collaboration are necessary for effective patient care. Medical and support staff alike need to be able to openly and readily share patient data with one another, communicating seamlessly both within hospital environments and without. The problem, of course, is enabling such collaboration without violating HIPAA.
After all, Protected Health Information (PHI) is some of the most sensitive data in the world. The penalties, should it fall into the wrong hands, are rightly strict. That isn’t to say that enabling file-sharing is impossible, just that it needs to be done while keeping a few things in mind.
Encrypt all files
Although HIPAA doesn’t mandate file encryption (it’s recommended, not required), encrypting all data both in-motion and at rest is critical if you’re going to ensure that your files can be shared securely. In the event that a device containing HIPAA is in some way compromised, encryption will ensure that the data it contains remains safe.
I’d advise that you use SSL encryption and use some form of VPN or secure tunnel to keep your files protected when they’re shared across external networks.
Assign unique IDs to all staff
Every user with access to your file-sharing and collaboration platform needs a unique identifier. In addition to being useful for the purposes of authentication, these IDs will allow you to track data access and usage. The idea is that you need to know what data each of them have accessed and what they’ve done with that data at any point in time.
Implement multi-factor authentication
Usernames and passwords are an important component of access control, but they represent only a partial solution. To keep both your files and the platforms through which staff collaborate secure, you’re going to want multiple means of ensuring people are who they say they are. These could include:
- Biometric (fingerprint scanners, facial recognition, voice identification, retinal scanners)
- Behavioral (common login locations, common access and browsing habits, etc.)
- Hardware-based (device recognition, hardware tokens)
Here’s one directly from the HIPAA guidelines. Any file-sharing or collaboration solution you use needs to have a timeout process built in. After a set period of inactivity (10 to 15 minutes is probably a safe bet), an employee account should be automatically logged out. This protects against unauthorized access via unattended devices.
Ensure that all software is HIPAA-compliant
Last but certainly not least, for each collaboration solution you implement, check with the vendor to ensure that it complies with HIPAA’s regulatory guidelines. Most vendors that support HIPAA compliance will be open about it. Moreover, their solutions will provide full logging and auditing functionality, alongside all the other security controls necessary to stick to HIPAA.
HIPAA need not represent an obstacle to effective collaboration. Provided you incorporate a compliant solution and take all the necessary measures to keep your data safe, you can enable your clinicians, support staff, and everyone else who needs access to collaborate for better, faster patient care.