Top 10 Tips for Healthcare IT Security 1

Top 10 tips for healthcare IT security

Those in the healthcare industry are accustomed to fulfilling a long list of compliance responsibilities and personal health information (PHI) safeguards under HIPAA. Yet even with built-in safeguards, the risks to the integrity of systems management increase every day. Review these 10 tips to stay proactive about bolstering your information security protections.

  1. Conduct regular risk assessments

    Top 10 Tips for Healthcare IT Security 9

    Under the HIPAA Security Rule, healthcare providers, health plans, and their business associates are required to conduct and update risk assessments. This includes assessing third parties that perform certain functions requiring the use of PHI – such as claims processors, or incorporating cybersecurity assessments when conducting due diligence as part of any merger and acquisition activity. Not only do these periodic checkups ensure compliance with the law’s technical, administrative, and physical safeguards, but they can also help reveal areas where PHI could be vulnerable.

  2. Have a formal incident response plan in place

    Top 10 Tips for Healthcare IT Security 7

    Should a data breach occur, having a robust incident response plan already in place gives you a roadmap to quickly respond, investigate, and minimize damage. Immediate action steps include detecting, documenting, and gathering evidence to prioritize incident handling and reporting to internal personnel and external organizations.

    Establish a team to lead these communication and response efforts, share information, manage communication, and ensure that all emergency tasks are being carried out. Communication to staff, those impacted by the event, and media venues by authorized personnel needs to be managed efficiently and accurately to avoid misinformation and confusion. Such preparation and vigilance pays off: One study found that an incident response team can reduce the cost of a breach by as much as $14 per compromised record from the average per-capita cost of $148.[i]

  3. Transition from paper records to secure, encrypted computer databases

    Top 10 Tips for Healthcare IT Security

    Electronic health records (EHRs) outperform paper medical records when it comes to providing better access to and use of PHI. However, EHRs also introduce new privacy and security risks. The mix of security risks can depend on the type of EHR hosting you have: office-based (local host) or Internet-hosted (remote host). Check your EHR server often for viruses and malware.

  4. Encrypt data and hardware, such as servers, network endpoints, mobile, and medical devices

    Top 10 Tips for Healthcare IT Security 1 

    As devices become more sophisticated and provide greater access to electronic PHI, healthcare organizations require even greater control and management to protect patient information and comply with HIPAA. Ensure that all of your hardware is encrypted and backed up (perhaps with a third-party provider). And if you allow employees to use their personal computers or phones for work purposes, create a BYOD (bring your own device) policy to be sure that everyone is following security, compliance, and software update protocols.

  5. Educate employees about staying compliant

    Top 10 Tips for Healthcare IT Security 8

    Commit to a HIPAA training program for all new staff when they are hired and on a regular basis for the entire team. Nearly four of 10 reported security breaches are caused by unauthorized access or improper disclosure of PHI. In fact, these types of breaches are the No. 1 most common HIPAA violation, according to HHS data.[ii] From sharing logins to abusing social media, human error is a major factor. Staff should be trained at least once every year and any time your facility changes its policies or procedures, systems, location, or infrastructure.

  6. Implement different access levels for employees’ access to personal health information (PHI) based on their job duties

    Top 10 Tips for Healthcare IT Security 5

    Assess employees’ job functions and allow them to access only the minimum necessary health information as appropriate. Create a flowchart of roles and supervision, with access levels clearly marked for each tier of responsibility. Ensure that the flowchart is updated regularly – and assign a staff member this responsibility.

  7. Immediately stop access to PHI by terminated employees (or contractors) and escort them out if necessary

    Top 10 Tips for Healthcare IT Security 6

    In situations of employee termination (especially involuntary discharges), be prepared in advance to do the following: Block computer system access; change passcodes to protected information and secure logins; remove all enterprise-related software; review post-termination restrictions on nondisclosure; collect keys, identification badges, and organization property; and use personal security to escort them from the building if necessary.

  8. Require a two-step verification process to ensure that mail and email recipients’ information is correct before sending invoices or appointment reminders

    Top 10 Tips for Healthcare IT Security 3

    Two-step verification can help protect against inadvertently sending one person’s PHI to another. It uses two forms of identity to verify a recipient or account sign-in – typically a password and a contact method. Train staff not to send PHI via email unless the data is encrypted. Direct-messaging software and secure patient portals are just two ways that serve this purpose.

  9. Shred paper records when no longer needed

    Top 10 Tips for Healthcare IT Security 2

    Shredding documents means using a method that ensures that PHI is rendered unreadable, indecipherable, and otherwise can’t be reconstructed. Many organizations contract out to third-party providers for this service to ensure that it is done correctly – and on schedule.

  10. Prevent break-ins by implementing physical safeguards such as security alarms, security guards, and locks on windows and doors

    Top 10 Tips for Healthcare IT Security 4 

    In addition to the HIPAA Security Rule’s technical and administrative safeguards, your healthcare organization is also responsible for physical security aimed at preventing unauthorized facility access, tampering, and theft of PHI. At a minimum, HHS recommends common controls such as locked doors; signs warning of restricted areas; workstation protocols; computer screens shielded from secondary viewers; secure rooms; surveillance cameras; alarm systems; identification badges; visitor badges; visitor escorts; and private security or patrols.[iii]

Preventing data breaches and maintaining IT security in a healthcare setting is a big challenge – but you don’t have to go it alone. Consult with your insurance provider to get advanced expertise on mitigating risk, or visit our website for more information on Liberty Mutual’s healthcare offerings.

[i] Ponemon Institute, 2018 Cost of a Data Breach Study.

[ii] Enforcement Results as of May 31, 2018, Health Information Privacy, U.S. Department of Health and Human Services.

[iii] HIPAA Security Series 3, Security Standards: Physical Safeguards, U.S. Department of Health and Human Services.


This website is general in nature, and is provided as a courtesy to you. Information is accurate to the best of Liberty Mutual’s knowledge, but companies and individuals should not rely on it to prevent and mitigate all risks as an explanation of coverage or benefits under an insurance policy. Consult your professional advisor regarding your particular facts and circumstance. By citing external authorities or linking to other websites, Liberty Mutual is not endorsing them.