The healthcare sector is one of the favorite targets for cybercriminals and state-sponsored hackers. Contrary to popular belief, things like stolen medical records are worth far more on the black market than payment cards. That’s why it’s essential to take every reasonable step to protect patient health information (PHI), both for the sake of your organization and your patients or clients. Conducting a HIPAA security risk assessment is the first big step towards ensuring your assets are safe from the myriad of threats out there.
Who needs to be HIPAA-compliant?
Every organization that stores, transmits, or processes PHI needs to be HIPAA-compliant. Those to whom the legislation applies to fall into two groups – covered entities and business associates. Covered entities include healthcare providers, health plan providers, and clearing houses. Business associates are a much broader group, since they include any party that handles PHI on behalf of a covered entity, such as an accounting firm, IT service provider, or consultancy firm.
#1. Determine what data you have access to
The first step towards formulating a HIPAA IT security policy is to determine which data you have access to, which systems it is stored in, and which controls are in place to protect it while in storage or in transit. This can be a lot more complex than it sounds, especially in the age of cloud and mobile computing. Medical records and other personally identifiable information may be stored on a multitude of different physical devices, both in-house and off-site. Before you can protect your assets, you need to maintain oversight by building a comprehensive and up-to-date inventory.
Related article: What Is HIPAA Compliance? 5 Common Mistakes IT Companies Make
#2. Assess your current security measures
The next step to creating a HIPAA IT security policy concerns assessing your existing security measures to see if they conform to the latest security standards. Due to the fact HIPAA has been around for 25 years, back when the technology landscape looked very different, the legislation is fairly vague regarding which technical controls need to be in place. As such, the best way to assess your current security measures is to do so according to a globally recognized standard like NIST SP 800-30. If your measures conform to the standard, then you should be compliant with the HIPAA security rule.
#3. Identify your organization’s vulnerabilities
No two enterprise computing architectures look the same. There are few universal standards even in individual sectors like healthcare. As such, you need to exhaustively evaluate your existing architecture not only for current security measures, but also for vulnerabilities that may have gone unnoticed. For example, vulnerabilities might include things like the use of outdated network protocols and unpatched firmware and operating systems. These need to be addressed to reduce risk and ensure success of your HIPAA IT security policy.
#4. Manage document storage and requirements
A HIPAA security risk assessment should also incorporate document storage requirements that align with data retention rules and have the required redundancies in place. For example, medical records typically need to be stored for at least six years from their creation or most recent update. To ensure maximum availability of your services, and the systems put in place to protect them, you need to have a robust backup and disaster recovery plan consisting of multiple redundancies and automated rollovers.
#5. Achieve breach notification requirements
The HIPAA breach notification rule requires covered entities to notify their patients if their PHI has been subjected to a data breach. Breaches involving more than 500 individuals require covered entities to notify the relevant authorities in their state or jurisdiction, including a local media outlet. All notifications must be made within 60 calendar days following the discovery of a data breach. As such, you need a clearly documented process for notifying every relevant party of an event, should the worst happen.
#6. Integrate compliance with your IT strategy
Security, privacy, and regulatory compliance have often been treated reactively, with systems and processes tacked on later rather than during the development and implementation stages of a new system. However, even if the HIPAA security rule doesn’t explicitly state the need for proactive security, it’s always much better to take every reasonable step to reduce risk in the first place. Compliance should be an integral and inseparable part of your broader IT strategy, and it should factor in with the rollout of every new hardware device, software program, and user account.
Charles IT carries out comprehensive HIPAA security risk assessments that help healthcare providers and their associates innovate quickly without increasing risk. Get in touch today to schedule your assessment.