Securing PHI

Xenon Health is committed to embracing and contributing to the ongoing changes in healthcare. The digitization of not just medical records but the entire care continuum is no doubt driving efficiency and improving patient outcomes. It has also heralded a substantial body of challenges. One of these is trying to combat the global specter of electronic protected health information theft. Cyber criminals have targeted patient information because of its ubiquity, detailed content and its value on the black market. Reportedly 80 percent of healthcare institutions have seen at least one cyber breach at some level. Consulting firm Accenture has projected that information theft associated with such breaches can cost the healthcare industry more than $300 billion of revenue within a span of five years. The reality is that most healthcare companies are not adequately prepared to combat cyber infiltration and data theft.

Some of the most common problems identified with healthcare organization with respect to data theft protection include:

• Out-of-date software
• Insecure protocols
• Misconfiguration
• Weak passwords
• Patching flaws
• Understaffed and underfunded cyber security departments
• Human error within the organization
• Access to computers in unrestricted areas
• Lack of security standards with respect to mobile devices
• Culpability to phishing and other social engineering attacks

At Xenon Health, every job to some degree, is a cybersecurity job. Employees are trained from day one to be cognizant of patient privacy and vulnerabilities in their digital environment. We have mandatory HIPAA compliance training with recertification required every two years for all employees.

The following are some of the initiative we have taken in trying to secure and protect the digital information of our patients and healthcare partners:

• Encrypted PCs and hardware
• Secure networks with AES encrypted routers
• Encrypted and HIPAA compliant digital communication platforms 
• Routine monitoring of all electronic communication logs
• Frequent breach audits
• Data storage in HIPAA compliant and encrypted cloud storage with secure back ups
• Data encryption at rest and in transit
• Digital security cameras with continuous storage
• Dedicated security compliance officers in each administrative location
• Frequent software updates and password changes
• Multifactor authentication
• Frequent review of access credentials
• Strict adherence to the HPAA Security Rule with implementation of the HIPAA Security Rule Crosswalk to the NIST Cybersecurity Framework

Just as we continue to refine our management protocols through an empirical and iterative approach, we continuously learn and further our defenses against EPHI theft.