Data that has been classified as protected under HIPAA must be effectively protected. Protection must include limiting access to appropriate individuals. This includes physical access to the computers containing the data as well as electronic access.
Maintain Physical CRM System Access
Physical access control includes limiting and tracking who has access to the servers supporting a HIPAA compliant CRM system. State of the art facilities access control would be biometric access control, electronic badge based access control, and then logging of who accessed the facilities. Biometric access is most secure because this requires the person to physically be present to access a facility, to gain access to the servers. The two most common biometric access control systems are fingerprint scanning and eye (iris or retinal) scanning. However, electronic badge based access control is more widespread because the technology is more mature and cheaper to implement, at least initially. Access is granted to whomever has the badge and typically security personnel will verify the identify of the badge holder. Over the past few years facial recognition has become both reliable and cost effective and this will surely become a more common means of authentication and access as the technology becomes more widespread.
Regardless of the technology used for facilities access control, a log of visitors is crucial to ensure HIPAA compliance. Electronic logging is the norm today and this is simply an electronic record of who entered the facilities and when.
Maintain Electronic CRM System Access
For a HIPAA compliant CRM system, electronic access control typically means securing access via the network. Modern secure service access includes multi factor authentication. With multi factor authentication the user wishing to access the server requires the standard username and password, but also something that the user either has or knows, or both. For instance requiring the user to provide information that only the user would typically know, like their favorite song or movie. However, what’s even better is to also require that the user has something, and this something is access to a unique token. There are many ways to create such tokens (a phone app that generates tokens, a token sent via text to the user’s phone, etc). Tokens should be both one time tokens, meaning that they can only be used one time, and they should timeout after a short duration, like 60 seconds.
Enabling multi factor authentication is a very secure way to ensure that only authorized users are accessing your servers.
ActivePrime has worked hard to make sure we can help with these CRM system security challenges and rules. We are dedicated to making the healthcare experience as positive as we can. We want to help both customers and organizations maximize their investment in CRM systems. We want all to be covered by health care insurance and support.
Visit our website to learn more about our HIPAA Compliance solutions.
This post is part of the ActivePrime HIPAA Compliance Blog Series, a series of articles designed to give healthcare organizations technical insight and techniques upon which to build a HIPAA compliant organization. For the introduction to the series and other posts in the series, please click here.