Cyber Security and HIPAA in a Medical Contact Center



By Bobby Bennett

With cyberattacks on the rise, what steps should a contact center take to prevent falling victim? First is to recognize it could happen to anyone. Do not equate small with safe. According to a 2017 Trend Micro online survey, 45 percent of small business owners believe they will never be targeted. The cyber security firm 4iQ states in its 2019 Identity Breach Report that cybercriminals targeted small businesses with cyber-attacks at an inordinate rate in 2018—up 425 percent over the previous year. 

With cyberattacks on the rise, what steps should a contact center take to protect its patients health information? Click To Tweet

Ways to Prevent Cyber Attacks

  • Install, use, and regularly update antivirus and antispyware software on every computer used in your business.
  • Use a firewall for your Internet connection.
  • Download and install software updates for your operating systems and applications as they become available.
  • Make backup copies of important business data and information.
  • Control physical access to your computers and network components.
  • Secure your Wi-Fi network and make sure it is hidden.
  • Require individual user accounts for each employee.
  • Limit employee access to data and information. Also, limit authority to install the software.
  • Regularly change passwords.
  • Consider two-factor authentication such as password and PIN.

The Federal Communications Commission provides a Small Biz Cyber Security Planner on their website. 

Another factor to be mindful of as a call center that takes calls for healthcare providers and clinics is that you are a business associate of the covered entity. A HIPAA business associate is a contractor or vendor to a HIPAA-covered entity that creates, maintains, or transmits protected health information in performing a function or service to the covered entity:

If a covered entity engages a business associate to help it carry out its health care activities and functions, the covered entity must have a written business associate contract or other arrangement with the business associate that establishes specifically what the business associate has been engaged to do and requires the business associate to comply with the Rules’ requirements to protect the privacy and security of protected health information. In addition to these contractual obligations, business associates are directly liable for compliance with certain provisions of the HIPAA Rules. (HHS.Gov)

A business associate contract serves to clarify and limit, as appropriate, the permissible uses and disclosures of protected health information (PHI) by the business associate. They may use or disclose PHI only as permitted or required by its business associate contract or as required by law. 

A business associate is also directly liable and subject to civil and criminal penalties for making uses and disclosures of PHI not authorized by its contract or required by law. It is important that employees are trained and understand the HIPAA rules required of a business associate. You can find sample Business Associate Agreement Provisions and training resources on the HHS.gov website.

Text messaging or SMS has become the preferred method of message delivery for both the contact center and healthcare providers today. With this growing trend comes risk associated with the transmission of PHI. 

Standard forms of SMS could mean that text messages may remain on a device for an extended time. If the device is recycled, lost, or left accessible to unauthorized persons, HIPAA violations may occur. You must provide safeguards to reduce your exposure to these risks. 

Secure Messaging is a secure, HIPAA-compliant way to safely exchange sensitive information via text. Most contact center system vendors have developed secure messaging applications for use with their systems. However, quite often it is difficult for a contact center to convince a large medical group to make changes and convert from their current secure messaging provider to one offered by the contact center. 

If you are not using a HIPAA-compliant application for text messaging, do yourself a favor and contact your vendor to see what they have available.

Bobby Bennett is the western regional sales manager for Startel, Professional Teledata, and Alston Tascom, leading providers of best-in-class contact center solutions for healthcare and medical telephone answering service call centers. Startel’s Alston Tascom Division has created a stand-alone, vendor-agnostic secure messaging gateway which has integrations with some of the most popular secure messaging providers. Contact Bobby at bobby.bennett@startel.com or 800-782-7835.