In today's digital age, cyber attacks have become a major concern for individuals and industries alike. With the increasing reliance on the cyber world for various activities, such as financial transactions and healthcare services, the exchange of confidential information has made us vulnerable to hackers. This includes sensitive data like medical diagnoses, prescriptions, social security numbers, addresses, PINs, passwords, and even mental health records. Hackers are constantly on the lookout for weaknesses in cyber security systems that they can exploit. Therefore, it is crucial for all industries, including mental health agencies, to be aware of and prepared for such cyber threats.
Mental health records and services increasingly include telehealth, online document exchanges, and e-signatures. These technological advancements provide greater access to quality care for clients. However, it is crucial for agencies to recognize that these activities also expose them to potential security risks. Therefore, it is important for agencies to prioritize their EHR security preparedness in order to safeguard sensitive information and maintain the trust of their clients.
I sat down with Ben Levenson, Exym‘s DevOps Lead, to discuss ways that mental health agencies can reduce risks moving forward.
General healthcare information and mental health records have become a primary target for commercial hackers. The amount of personal data held by care organizations is much greater than even financial institutions have. Credit card numbers can easily be replaced, PINs changed, etc. However, your name, social security number, and mailing address are much harder to change. Once a threat actor has this information, they are able to perpetuate much larger and longer-term fraud.
Almost every system an agency uses presents risk. For example, what if you use an independent PTO (paid time off) system, not directly tied into anything else. Seems pretty safe, right? What about the login? Do your employees use the same email and password? The same security reset questions? Gaining access to this is an easy stepping stone away from accessing financial and healthcare systems.
The single most important thing you can do is enable multi-factor authentication (MFA) everywhere. Microsoft says MFA reduces identity compromise by 99.9% over passwords. Start with the easy ones: email systems, electronic medical record systems, financial systems. Vet new vendors to ensure they have an MFA system that works for your staff.
The next thing to do is training. No computer system is perfect, so training your staff to recognize and mitigate threats is critical for protecting information. Recognizing dangerous websites, phishing emails, and social engineering attempts will help them be better stewards of client data within mental health records and their own personal data.
Telehealth sessions have experienced a staggering growth of over 4,000% since March of 2020. As mental health organizations adapt to this new normal, it is crucial to treat telehealth sessions with the same level of care and security as in-person sessions. Ensuring that only authorized individuals are present in the sessions is paramount. Additionally, it is important to create a secure online environment by implementing HTTPS encryption with a strong cipher. When selecting vendors, prioritize those who specialize in healthcare and have a comprehensive understanding of HIPAA requirements. It is also essential to consider the security of the endpoints used by staff, ensuring they meet the same level of security as the software being utilized.
With so many people now working remotely in mental health fields, we have the perfect opportunity to adopt a Zero Trust security model. Traditional computer security models focused on the perimeter, or edge, or your network. This is basically the building you were in; where everything inside was trusted, and everything outside was not.
However, with staff now being in multiple locations and software hosted in the cloud, it is time to look at cloud data security programs. These types of programs use a Zero Trust model, which assumes every single connection is a breach attempt. Every connection needs to be verified through identity, location, MFA, and user patterns.
This approach helps implement explicit verification and least privilege access at every point in which humans interact with the mental health record. At Exym, we have been using the recent shift in the mental health field as an opportunity to reexamine all of our security policies, make adjustments to the latest standards, and increase our ability to monitor and enforce security at every layer.
In 2021, Exym launched Exym Engage, an all-in-one telehealth software solution. This module allows the clinician to move through their daily tasks from one centralized location, simplifying their workflows so they can focus on what they do best: delivering great care.
Exym Engage includes capabilities like sharing documents with the client through secure messaging within sessions, collecting intake documents and filing them in the client's mental health record, collecting electronic signatures from client's phones or computers, and communicating with clients between sessions through digital messaging. Clients can also retrieve requested records electronically.
All of this comes with the same standards of HIPAA compliance, access controls, and secure cloud data security programs for record retention that are built into Exym's EHR security protocols.
Exym is a comprehensive EHR software solution designed specifically for behavioral health agencies. Trusted for 20+ years, our intuitive and customizable software empowers providers to improve client outcomes, manage revenue cycles, and increase agency efficiency. Exym allows you to spend more time on what matters most- the clients in your care.
Visit our Clinical page to see why clinicians love Exym, and our Operations page to learn more about the EHR security features your IT department needs, like 256-bit encryption, HIPAA compliance, and frequent penetration testing.