HIPAA's next security measure contains regulations on the techniques and technologies that should be used in all equipment, devices and software that have confidential patient information.

This rule requires that clinics, clinics, hospitals and others have the minimum acceptable security employed in the technologies used to ensure the privacy of patient data inserted in it, while still being flexible enough that the companies that handle this information can decide which ones technologies best fit your work routine.

What the standard says

"Having the technology, policies and procedures that protect electronic health information and control who has access to it".

Let's start with access to information, the measure says that only people who need access should have it, that is, there must be a reason for an employee to have access to patients' confidential information. Within this topic, the measure says that each employee must have a unique user access, provided with a password to obtain access. It should be possible to identify users and their last accesses if necessary.

As for personal access, the healthcare facility may require passwords, PINs, a token, card, key, or even biometric recognition such as fingerprints, voice patterns, face or iris, depending on the needs of the facility. In the event of an emergency occurring on site, there must be ways to save information in the event of catastrophes. These procedures must be recorded and must be trained by the team, so that in the event of a real catastrophe everyone knows how to save patient information.

Automatic logoff is another point that can help with data security, since it closes a user's section alone after the user stays a certain time without tampering with the system, making it impossible for unauthorized people to use and collect data they shouldn't have. Encrypted data is also an extra barrier against attacks and information theft.

Within the protection of these data, there is also the question of integrity, which provides for the alteration and destruction of the information contained in the system used, and the health establishment must ensure that there are procedures that protect the data from any types of attacks.

For data transmission, it is necessary that the system has protections against possible errors, and even captures or intercepts of this data while transmission and communication between network servers occurs. In order to better decide on transmission safety, the health establishment must first define which methods are used, for example, by email, by network, by some other type of equipment, etc. As long as data integrity and security are maintained, they can be transmitted by any means.

Source: HHS - Tech Safeguards