5 Tips for tackling HIPAA compliance challenges

Regulations like HIPAA are in place to protect sensitive protected health information, but the threat landscape is ever-changing.

With healthcare organizations the target of 88 percent of all ransomware attacks, the U.S. Department of Health and Human Services issued new HIPAA guidance on ransomware attacks in July last year.

If you're finding it difficult to keep up with patient and provider demand while simultaneously keeping an eye on the evolving regulations, you're not alone. HIPAA compliance is often only deeply understood by a handful of people within an organization. That said, I've seen some common threads in my 15+ years of working with healthcare providers. Here are five actions you can take today that will dramatically enhance your organization's security posture:

1) Help build awareness and guide employee behavior.
User behavior is easily the most common area of risk when it comes to security. On the technology side, we can do a lot to increase security posture, starting with making sure every user in your system is aware of the risks they can introduce. Outline basic security protocols for laptops and mobile devices, including requiring employees to use strong passwords and avoid using the same password across multiple accounts. Enforce shadow IT policies so employees aren't accessing healthcare systems and/or data via undocumented and/or unapproved devices.

Education is also necessary. If users aren't aware of compliance requirements and intent, they can unknowingly cause a breach. Healthcare organizations should be asking questions such as: How do you fuel understanding of policies and develop the right culture for security? Do employees know how to handle the situation, and who to contact, when they suspect something unusual?

2) Ensure you have a formal – and updated – information security management program.
Your information security management program is a document that establishes a program for securing all assets. It should include guidance on processes, controls, tools, people, and procedures. The information security space is changing rapidly, so you need to plan for utilizing your current resources today and improving your security posture in a thoughtful way for the future. It's not just about one magic bullet security technology; it's about how all the pieces work together. At a minimum, you should be reviewing your plan annually, and ensuring that it covers the three years ahead.

3) Take offline storage seriously.
To manage costs increasing along with security regulations, many healthcare organizations have tried to minimize the amount of offline storage they're using by having a large file share with a RAID array. They'll also use that redundancy, or a replica of it at some alternate site, as their disaster recovery plan. If I may be frank, this is entirely the wrong approach for data backup. You should always have an offline copy of everything you care about, particularly in an industry where lives are literally at stake. That doesn't necessarily mean having physical copies, but it does mean replicating your data somewhere, such as to the cloud, and then making sure that replica is offline and inaccessible.

4) Evaluate your biomedical tools as IoT devices, and secure them as such.
One of the most commonly overlooked assets when it comes to heath IT security is biomed devices such as MRIs and other tools. These new technologies are often connected devices, which makes them an IoT endpoint – and those devices still need to be secured. Often the vendors of those devices will say they can't make changes to their products because they are FDA-approved as-is, but that's just not true. Vendors are actually required to help providers comply with cybersecurity best practices. Healthcare providers need to reach out to them for assistance and work through that shared responsibility.

5) Educate patients about protecting the security of their own PHI.
There has recently been a movement among consumers calling for control over their own data rather than relying on healthcare providers to safeguard it. Unfortunately, with security only as strong as your weakest link, the consumer can end up being the weakest link in the chain. Providers, and really all of us, need to educate ourselves and one another about security best practices. Investing effort to educate healthcare consumers about cybersecurity will pay off on the long run.

Healthcare data security will continue to be a challenge in the years to come. But by mastering these first steps, hospital and healthcare organizations have an incredible opportunity to enhance their security posture today for the years ahead.

By Trent R. Hein, co-founder of AppliedTrust, a ViaWest company

The views, opinions and positions expressed within these guest posts are those of the author alone and do not represent those of Becker's Hospital Review/Becker's Healthcare. The accuracy, completeness and validity of any statements made within this article are not guaranteed. We accept no liability for any errors, omissions or representations. The copyright of this content belongs to the author and any liability with regards to infringement of intellectual property rights remains with them.

Copyright © 2024 Becker's Healthcare. All Rights Reserved. Privacy Policy. Cookie Policy. Linking and Reprinting Policy.

 

Featured Whitepapers

Featured Webinars