The 10 Policies You Need to Stop Lab Employee PHI Breaches

Safeguarding personal health information (PHI) data from hackers, identity thieves and other cyber threats isn’t just a legal obligation but a business imperative. Yet, with so much on the line, breaches keep happening, even at large and sophisticated labs that invest millions in data security.

The Problem: Employees
Many PHI breaches can be traced back to employees. Whether deliberate or inadvertent, acts or omissions of a single employee can undermine an elaborate data security system.

The Solution: Technology + Policies
While technology is part of the solution, you must also have the right personnel policies to prevent breaches and keep precious PHI secure.

1. Computer Use Policy
Computer use policies should define proper use of lab computer and digital resources and specify acceptable and unacceptable uses of fixed, laptop and mobile computing devices and network resources.

2. Email Use Policy
Employee email mishaps are a leading cause of PHI breaches. So, you need a policy explaining the proper use of your lab’s email systems addressing:

• Information emails and attachments can contain;
• Replying and forwarding of emails and attachments, e.g., banning automatic forwarding of emails containing PHI;
• Measures to keep emails and attachments secure; and
• Retention of emails containing PHI.

3. Social Media & Blogging Policy
You also need a policy making it clear that employee blogging and social media use is subject to your lab’s data security restrictions even when it occurs within their own home after work. Key provisions:

• Ban on disclosure of PHI and other confidential information;
• Require employees to behave in a professional manner and refrain from conduct that may harm the reputation, image or goodwill of the lab, its employees, patients or clients;
• Ban on discrimination and harassment;
• Ban on employees speaking on behalf of the lab without authorization.

Employee Computer, Email & Social Media Use IS Your Business

Be sure to specify in your computer use, email and social media use policy that the lab has the right to monitor employee compliance and that employees should have no expectation of privacy in how they use their work computers and email systems.

4. Clean Desk Policy
The purpose of this policy is to warn employees against carelessly leaving PHI out in the open and explain what they must do to secure PHI in their work area when they go home at night or leave their workstation for an extended period, including verifying that:

• Computers are shut down and secured;
• Hardcopy documents are removed and locked in secure files or drawers;
• Drawers and file cabinets are locked and the key isn’t left unattended;
• Whiteboards are erased;
• Printers and fax machines are cleared of papers as soon as printing is done.

5. Workstation Security Policy
It takes more than physical barriers and technical safeguards like encryption to achieve workstation security. You also need a policy listing the measures employees must take to keep their workstations secure, such as:

• Allowing only authorized personnel into their workstations;
• Making sure workstations are locked when they’re away;
• Logging off and securing their computers before leaving at night;
• Complying with password restrictions;
• Not installing unauthorized software;
• Not using personal devices or systems to store PHI.

6. Password Creation & Protection Policy
Inadequate password protection by employees is a major weak spot in data security systems. To address the problem, you need a policy requiring employees to create strong passwords that lists guidelines, including:

• Standards passwords must meet, e.g., at least 12 alphanumeric characters in length;
• Things to put in passwords, e.g., upper and lower case letters and characters like *&^%#;
• Things not to put in passwords, e.g., birthdates, names and other personal information.

There should also be a clear process for changing passwords and a policy requiring employees to keep their passwords secure that lists common mistakes to avoid, such as:

• Writing passwords on post-its or note pads and compounding the error by leaving the post-it out in the open or even under the desk or another obvious hiding spot;
• Sharing passwords with others;
• Including passwords in emails or disclosing them on the phone;
• Using the same password for multiple accounts.

7. Data Removal Policy
Many data breaches are the result not of hacking or deliberate cyberattack but lost and stolen laptops.  So, you need a policy restricting employee removal of PHI, including:

• A requirement that removals be authorized;
• A clear process for granting such authorization;
• Limitations on what data can be removed; and
• Mandatory safeguards for protecting removed data.

8. Bring Your Own Device (BYOD) Policy
In an era of mobile computing, you should have a BYOD policy addressing:

• Whether employees can bring personal electronic devices to work for work-related uses;
• Which devices are approved for BYOD;
• Which uses are acceptable;
• Restrictions on uses, e.g., banning use of personal devices to download lab files containing PHI;
• Measures employees must take to keep their devices secure, e.g., use of passwords or encryption.

9. Remote Access Policy
While letting employees connect to your lab’s network from remote locations boosts productivity, it can also compromise network security. So, you need a remote access policy explaining the requirements for connecting to the network from an external network or host, including:

• Who will have remote access privileges;
• Acceptable and prohibited uses for remote access;
• Required measures remote users must take to ensure the connection is at least as secure as the user’s on-site connection; and
• Standards for connecting Bluetooth-enabled devices to the network or lab-owned devices.

10. Data Breach Response Policy
While prevention is the paramount objective, labs must also be prepared to respond effectively to any data breaches that occur. The key is finding out about the breach as swiftly as possible. And because employees are usually the first to know, they should be required to notify their supervisors immediately of any breaches they know about or suspect.