Reputation and revenue aren't the only things on the line when healthcare security is breached. Poor data security is also a violation of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). HIPAA was created to ensure that people and their healthcare data are protected from fraud. In today's digital world, such laws are more important than ever.
When pitching networked healthcare AV to a client, it's important to take these laws under consideration. Here's what you should know about HIPAA rules, security and privacy.
Adhering to HIPAA Rules
HIPAA wasn't enacted with today's ultra-connected world in mind. “Since the enactment of HIPAA in 1996, the industry has moved from paper-based solutions to one where patient information is completely controlled by software and universally accessible via web applications,” says Metro Data.
However, this doesn't mean that HIPAA compliance doesn't take software and data security into account. “No HIPAA compliance effort is complete without ensuring that software applications have been tested for vulnerabilities which may compromise the integrity or privacy of patient information.”
There are rules that explicitly state the importance of data privacy. According to the American Medical Association (AMA), the HIPAA security rule requires physicians to protect patients' electronic health information (ePHI). Physicians are expected to use “appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity and security of this information.”
Derek Wiedenhoeft notes that there are a number of things that healthcare professionals should do in order to be HIPAA compliant. Some of these things include making a distinction between web, database, and production hosting servers, acquiring antivirus and multifactor authentication (MFA) software and using private firewalls.
There are some exceptions when it comes to certain forms of communication, such as teleconferencing, says VSee. “Under the Security Rule, paper to-paper faxes, person-to-person telephone calls, video teleconferencing, or messages left on voice-mail do not count as E-PHI because they did not exist in electronic form before the transmission.”
Since today's healthcare providers use a variety of technologies and tools to communicate both internally and with patients, it's important to understand when and how HIPAA rules apply.
Preventing a Security Breach
Healthcare breaches are disturbingly common. As Jessica Davis writes, more than 25 million patient records were breached just in the first half of 2019. This shows why AV security in healthcare is such an important concern.
Adnan Raja, vice president of marketing at atlantic.net, stresses the importance of preparing properly for a potential breach. “You need a planned response that is easy to execute, but thoroughly designed.”
No security is 100 percent effective, but networked AV is a smart choice for preventing breaches so that they are both less frequent and less severe.
Have the security conversation with healthcare clients early, and the process of introducing new AV systems will be far smoother.
AV Over IP in Patient Data Security
While general security is an important part of HIPAA compliance, there are some specific things to consider when pitching AV.
For example, Christopher May at AV Bend discusses the role of AV design in data security. He points out that healthcare providers must find a way to prevent individual discussions from being overheard by anyone other than the conversation's participations. Since sound travels easily and immediately, soundproof rooms and walls are essential for maintaining privacy in this manner.
Moreover, the placement of audiovisual equipment within these rooms can enable multiple, private conversations to be happening at once without fear of intrusion or eavesdropping.
This is just one of many reasons why healthcare providers may wish to adopt a customized AV over IP solution. Consider a hospital operating theater that needs private, high-definition content to be displayed, says ZeeVee CTO Steve Metzger. Such a situation would require a dedicated IP network just for transmitting information to the theater. Separate infrastructures can give greater control over extremely sensitive data.
Some healthcare providers might be unsure of adopting the new technology, and others may desire to stick to traditional AV. Remaining in the old system can be highly limiting, however, and healthcare entities could be putting themselves at risk by relying on traditional AV. They may also be preventing themselves from growth, as traditional AV is much less flexible and harder to scale than networked AV.
Helping providers debunk the myths around AV over IP can ensure that they make a better choice for their patients' futures
“A common misconception about migrating from hardwired AV to AV over IP is that the latter introduces more security risks than traditional AV. With more flexibility and new deployment options, education is the best ally to AV administrators,” says Matrox.
Establishing a Secure Network
What's most important to discuss when implementing a secure networked AV solution for healthcare companies?
According to Bart van Moorsel at Tech Data, having a strong understanding of security across all departments, tools and staff members creates a solid foundation.
“When onboarding AV devices, businesses should install patch updates the same way they would any other network-attached device. AV devices should always be managed by the IT team as part of the network's wider security strategy.”
When working with a healthcare client, get their IT team involved early. The two of you can work together to put together a system that is secure and compliant.
This partnership is especially beneficial because it will help safeguard the network as well as the AV equipment. Network security is essential when working with HIPAA rules, writes Juliana De Groot at Digital Guardian. “This safeguard addresses all methods of data transmission, including email, internet, or private networks, such as a private cloud.”
Additionally, Gemalto suggests a number of protection measures, such as physically securing equipment and ports, protecting and securing external network access and performing regular internal security audits. These are all suggestions you can make when pitching to healthcare clients.
Maintaining a healthy balance of security measures is also important, says writer Adam Lovinus.
“Not every endpoint communication needs deep packet inspection. That slows the network. Use VLANs to separate users and endpoints that access medical systems with PHI data. The firewall routes traffic between VLANs.”
By being proactive and informed about HIPAA-compliant security measures, you can be sure to pitch the right equipment to healthcare prospects and set it up properly.
Images by: ximagination/©123RF.com, Mark Bowden/©123RF.com, Katarzyna Białasiewicz/©123RF.com
