Data Privacy Day is a day set aside to increase awareness of privacy and data protection for consumers and organizations. DPD began in Europe to commemorate the first legally binding international treaty dealing with privacy and data protection signed on January 28, 1981. In 2008, the United States and Canada joined Europe in recognizing Data Privacy Day.
This day serves as a good reminder for consumers and organizations to review privacy and data protections.
We sat down with Care Services’ CIO, Jeff Freund, to discuss how Care Services protects patient data and get tips for consumers on managing privacy and data protection.
Q. What does Care Services do protect client data?
Jeff Freund: The short answer: A lot! I could actually spend all day on this subject. In a nutshell, privacy and security of patient information are of the utmost importance for us and we have many safeguards in place to protect data. We have comprehensive policies that govern our security processes – such as risk analysis and management, workforce security and incident logging and reporting.
For protection of data on our server and network, our policies include encrypting data on all servers and laptops, mobile device management, activity log monitoring, review and retention, and disaster recovery and business continuity plans.
We also have policies to protect data in motion. We use SFTP for all data file transfers and the highest available SSL encryption on all of our websites and webservice calls. We also use encrypted email to ensure PHI is not transmitted without secure processes.
Internal system development processes include use of a software development lifecycle (SDLC) for systems development, rigorous systems and UAT testing for all changes, use of change management protocol on all production environments and a requirement that all developers are OWASP trained.
Finally, even with all of these protections, we also manage user access (both physical and systems access) so that data access is only given to employees that require the information to perform their job. All employees undergo background checks and participate in training sessions every year on HIPAA and security so that we are constantly reminding employees of our policies and procedures for keeping data safe.
Q. How do you monitor data and security processes?
Jeff Freund: Monitoring is an important part of our overall security process and includes daily, weekly, monthly and annual scans, as follows:
- Vulnerability Scanning: Daily
- Anti-Malware Updates: Daily
- Log and Event Monitoring: Daily
- File Integrity Monitoring: Weekly
- Environmental Checks: Monthly
- Clean Desk Walk-thru: Monthly
- Active Directory Review: Monthly
- Phishing Simulations: Monthly (minimum)
- Review of accounts not accessed in 90 days: Monthly
- Firewall Reviews: Quarterly
- Secure Coding Training: Annually
- External Penetration Testing: Annually
- Risk Assessments: Performed annually and updated throughout the year as threats are identified and/or remediated.
Ultimately, data protection is not something you set up once and leave alone. We continue to assess, implement and monitor processes so that our protections are perpetually being updated to keep data protected.
Q. What is the difference between HIPAA and HITRUST?
The Health Insurance Portability and Accountability Act (HIPAA) of 1996 is a federal law that created national standards to protect sensitive patient health information. Regulations provide organizations best practices in three areas: administrative, physical security and technical security. While organizations managing patient health data must adhere to these regulations, there is not a certification process associated with HIPAA.
HITRUST is an acronym that stands for the Health Information Trust Alliance, which is an independent testing organization for companies that handle Protected Health Information. The HITRUST Certified Security Framework (CSF) certification is given to companies who successfully pass a rigorous security evaluation. The CSF certification demonstrates a company’s compliance with not only HIPAA but other guidelines, such as NIST, PCI and ISO. To become certified, there are 845 requirements that must be met.
Care Services is thrilled to announce that several of our systems and applications have earned Certified status for information security from HITRUST. Learn more here.
Q. What suggestions do you have for individuals to protect privacy and data online?
A. Jeff Freund: Personal data is collected and used for many reasons and it’s important for individuals to be vigilant and take steps to protect your data:
- Never used unsecured WiFi – especially for any pages that require you to use login credentials to access information.
- Use strong password phrases that contain a combination of upper- and lower-case letters, numbers and symbols. The longer the password, the harder it is to break.
- Even when using secure passwords, change your passwords periodically. Consider setting a reminder to update your passwords every six months.
- Use a password management utility with strong encryption to store your passwords; this will allow you to give each site/application you access a unique and very complex password. Keep your software up to date. This will allow you to leverage protections the software provider has provided.
- Use virus protection and a firewall. On all new devices or programs, set privacy settings immediately.
In addition, don’t participate in online quizzes and games that ask personal questions about your family, your childhood, places you’ve traveled, pets, marriages, favorite items, etc. Every time you take one of these quizzes or publicly post responses about yourself, your data becomes readily available to hackers trying to steal your data or identity.
Finally, check financial statements regularly and question anything that doesn’t seem correct. Many credit cards also offer free credit checks that you can review as another protection. Make sure there are no credit inquiries that you did not initiate and that your credit review doesn’t reveal any other concerning data.
By taking these steps, you can help to protect your privacy and data security.
Jeff Freund is chief information officer of Care Services, LLC, a health services company, and parent company of InMedRx, MedCallRx, GeriScriptRx, Complete Delivery Solution, and Hospice Pharmacy Solutions. His expertise includes IT management and strategic planning, software development, business intelligence, information assurance, regulatory compliance, and vendor management.
Freund joined Care Services in 2018, bringing 20 years of IT and health care leadership experience and the ability to translate medical and technical concepts into easily understood business principles. Previously, Freund served as vice president of information technology at Envision Physician Services and as a chief information officer at Phoenix Physicians, PhyAmerica Physicians Group, Scott Medical Group, and Primevision Health. He also served in leadership positions at Orlando Health Care Group and Harris Corporation.
Freund received a Bachelor of Science in Computer Science and a Master of Science in Computer Science from the University of Central Florida.