Healthcare information technology systems are a favorite target for cybercriminals. Protected health information (PHI) contains a wealth of valuable data that can sell for a lot of money on dark web markets. Another common threat against healthcare services is ransomware, as organizations are more likely to pay a ransom to regain access to their data. On top of this, the sector is often viewed as an easy target with outdated systems and poorly trained employees.
To ensure the safety and privacy of sensitive medical information, the US government enacted the Health Insurance Portability and Accountability Act (HIPAA) in 1996. However, technology has changed a great deal since then, so IT professionals cannot rely on the legislation itself for detailed technical instructions for implementation. Instead, they must follow standards like those provided by the National Institute of Standards and Technology (NIST).
What is a HIPAA Certification?
Although a formal HIPAA certification for IT professionals doesn't exist, some third-party auditors may be willing to provide proof that your business has passed a HIPAA audit. This allows you to demonstrate your efforts in achieving compliance to potential and existing clients and patients.
The Health and Human Services Office for Civil Rights (OCR) is the federal body responsible for managing and enforcing HIPAA, and they regularly conduct audits to ensure compliance. Organizations that partner with a compliance expert take a proactive approach enabling them to track progress and identify areas for improvement to ensure a successful audit.
Related article: 7 things you need to know about the HIPAA compliance certification |
Steps to Prepare for HIPAA Certification
Step 1: Focus on security training for all employees.
Employee training is an essential part of the security and privacy process, and it’s also a legal requirement of HIPAA. There are many formal educational resources and training programs that provide HIPAA certification for IT professionals and other experts involved in healthcare. You will also need to document your training programs and create and publish policies that make training a clear priority. Keep in mind that you'll need to present your training programs to pass an audit.
Step 2: Choose your security and privacy officer.
Every covered entity or business associate must have a dedicated security and privacy officer. This does not have to mean hiring someone specifically for the role, but you will need to have someone responsible for protecting PHI. A security and privacy office will be accountable for meeting the regulations, reviewing business associate agreements, and creating a list of every supplier and vendor that handles PHI on their behalf.
Step 3: Implement a risk management plan.
HIPAA requires organizations to conduct a thorough risk analysis and develop a risk mitigation plan based on their findings. A risk analysis is a comprehensive evaluation of your network, including all devices and user accounts, and communications channels used for work. This will need to be an auditable and documented process that covers all security and privacy policies across the technical, administrative, and physical domains. It should also provide direction on the secure operations of your organization.
Related article: Why you can’t afford to make a mistake when performing a HIPAA risk assessment |
Step 4: Create and review your policies.
You will need to create a HIPAA compliance policy that aligns with the requirements enshrined in law, as well as the latest standards of information security and privacy. These policies must also be regularly updated to account for any changes to your technical or operational systems. It’s also essential that you have a way to enforce policies, such as using data loss prevention (DLP) systems to automatically detect and quarantine communications that may constitute a breach of policy.
Step 5: Conduct an internal IT audit.
An internal IT audit serves to evaluate your entire technology infrastructure for any potential vulnerabilities. Common vulnerabilities include outdated security protocols, obsolete hardware and software, deprecated operating systems, and unsecured wireless networks. The audit must also cover any hosted resources you use, such as cloud-based apps and online storage. You can and should consider getting external help for this since an outside view of your systems and infrastructure lends a crucial extra set of eyes.
Related articles: What is a HIPAA security risk assessment, and who needs one? |
Step 6: Build an internal remediation strategy.
Once you’ve carried out a risk assessment and audited your IT systems, you’ll no doubt find areas in need of improvement. Hopefully, there won’t be any critical vulnerabilities, but if there are, it's essential that you prioritize these in your remediation strategy. Be sure to create a realistic and carefully prioritized schedule for your remediation plan. Finally, remember that your compliance efforts need to be regularly tested, reviewed, and updated to accommodate any changes.
Related articles: How Much Can HIPAA Violation Fines Cost Your Business? |
Charles IT provides comprehensive HIPAA compliance assessments and security services to protect your organization from data leaks and other cyberthreats. Contact us today to find out more.
Editor's Note: This post was originally published in April 2021 and has been updated for accuracy and relevancy.