As health IT data breaches are on the rise and cybersecurity becomes a growing concern, HIPAA compliance and security risk assessments are becoming top-of-mind for healthcare providers.
Coalfire, an IT audit and compliance firm, has debunked the following seven myths surrounding HIPAA security risk analysis.
Myth 1: A security risk analysis is optional for small providers. Instead, risk analyses are mandatory for all providers, including those seeking meaningful use from their electronic health records. Furthermore, nearly one-third of data breaches occur in organizations with 100 or fewer employees.
Myth 2: Any certified EHR will comply with risk analysis requirements. Satisfactory security requirements cover all protected health information, including files and information outside of the EHR. With the proliferation of mHealth use, security boundaries must be extended to all devices, including smartphones, tablets and computers.
Myth 3: EHR vendors already address privacy and security issues. While vendors will discuss security information, Coalfire says the task of securely integrating and configuring products to comply with HIPAA is the providers' responsibility.
Myth 4: There is one method of analysis. Security risk analyses should be tailored to each organization, as each organization's risks will be different. However all effective analyses should include three main elements: identification of all protected health information sources; human, digital and environmental threats to the data; and assessment of current security measures.
Myth 5: Checklists satisfy risk analysis requirements. While checklists can help raise awareness and identify areas of concern, they are not adequate for a proper analysis execution or documentation.
Myth 6: Risk analyses only need to be completed once. HIPAA requires security risk analyses — including reviewing, correcting and modifying safeguarding practices — to be ongoing. At minimum, they are recommended once a year.
Myth 7: Every analysis will start from the scratch. Coalfire says auditors do not need to return to the beginning each time they conduct a security risk analysis. Instead, conduct a complete analysis once the EHR is implemented, and then update reports to reflect any changes in practice or technology as they occur.
More Articles on Cybersecurity:
Following Data Breach, Rady Children's Updates Cybersecurity Procedures
4 Recent Data Breaches
Healthcare vs. The World: 5 Key Cybersecurity Findings