HIPAA compliance: What healthcare administrators need to know
According to a report from Duo Security, 56% of healthcare companies across the U.S. are still operating on legacy operating systems and software. In case you’re not familiar with the term, legacy is just another word for outdated. In the world of cybersecurity, outdated usually means vulnerable to a cyberattack. If your technology is obsolete or you are still using manual processes to store patient data, there is a good chance you are in violation of HIPAA compliance codes and regulations. Consider some of the most recent data breaches:
- AMCA/LabCorp/Quest Diagnostics: over 25 million patients
- Dominion National: nearly 3 million patients
- Inmediata Health Group: 1.5 million patients
- UW Medicine: 973,024 patients
- Wolverine Solutions Groups: 600,000 patients
Over 40 million Americans were affected by data breaches in 2019 alone. What do all of these data breaches have in common? In one way or another, these companies failed to comply with HIPAA standards. More specifically, they were using outdated processes and solutions to protect patient data, very often related to control over what third-party vendors do with their data. Also, keep in mind that 43% of all cyber-attacks still target small to mid-size businesses– not just huge enterprises. Hackers are often going after small clinics and medical practice groups because they know that these are often less protected than the big hospitals. In other words, every organization needs to understand compliance to both avoid expensive penalties and secure their network.
HIPAA compliance is about continuous improvement
Ensuring that your company is compliant with federal regulations is about more than just following the rules. While enterprises like LabCorp or Quest may survive a breach, there are still far-reaching consequences that can last for several years after the initial event. For instance, corporations that fell prey to an attack in 2019 are already facing numerous investigations, lawsuits, and reputational damages. Also, the companies face losing millions in revenue while at the same time spending large sums to restore security to the network. And the Office of Civil Rights (OCR), the federal enforcement arm for HIPAA, has issued over 100 million in fines to institutions for violations and failures to comply. The bottom line is that becoming HIPAA-compliant is central to the sustainability of any healthcare provider or vendor. Without proper security measures, companies open themselves up to a painful recovery process after a cyberattack.
What are the HIPAA security standards?
There are several key areas on which this regulation is focused. Below is a summary of the HIPAA Security Standards for healthcare providers:
A clear plan of action
Your company must tangibly demonstrate compliance in a systematic and organized manner. It must adopt a clear plan of action, create a written set of procedures, and designate a privacy officer to manage compliance.
Organizational buy-in
Your entire organization must demonstrate that it is on board with HIPAA regulations and procedures. All procedures must identify all employees and entities that will have access to private patient information. Furthermore, there must be a clear correlation between their job function and authorization to access private information. The company must also develop an ongoing training program for all employees that have access to private patient information.
Third parties and vendors
All business associates, including outsourced service providers and vendors, must also follow HIPAA regulations. HIPAA compliance must be stipulated in your business contracts with any third-party entities that handle patient data through Business Associate Agreements (BAAs). You must also find out if the third party outsources services or functions to other parties. This is why it’s so critical to deploy solutions that deliver access while offering granular control of user activity and permissions.
Emergency plan of action
You should have a plan in place for responding to any security breach. Your plan should include a data backup and recovery procedure. This is especially important for any system dealing with patient care. You should also be able to analyze and identify how your processes or infrastructure failed or what led to the emergency. User activity monitoring and auditing solutions allow network managers to launch comprehensive forensic investigations and attribute attacks to a specific actor or actors.
Physical safeguards
How are you controlling physical access to sensitive data? Your plan for isolating authorization should cover all phases of software and equipment you use from implementation to disposal. All equipment must be carefully controlled and monitored without interruption. All workstations should be removed from high traffic areas. Timed logouts and good password policies should be in place for all network access. Medical devices must be tamper-proof and tamper-evident. Monitor screens should not be in direct view of the public. Also, there must be records of user activity (employees, third-party, clients/patients).
Technical safeguards
All data that is transmitted across your network must be protected to prevent interception from an unauthorized user. Encryption should be utilized when sending or receiving data. In addition, systems must be able to preserve the integrity of all data while authenticating both the sender and receiver. All system and network activity, especially for third parties, must be logged for documentation and tracking. There must also be some form of ongoing risk analysis and risk management processes in place.
Where to start with HIPAA compliance
HIPAA compliance is key when a healthcare organization is making a digital transformation from analog, outdated processes. For companies that need to ensure security while partnering with third-party vendors, modern solutions are needed that have specific features for HIPAA compliance. Imprivata provides secure third-party remote access for enterprises working in healthcare. To learn more about how vendor privileged access management and remote access solutions are easy to use, highly efficient, and keeps your company compliant, check out our HIPAA and HITECH compliance checklist.