The State of Security: Healthcare Security and a HIPAA Audit

Healthcare Security, particularly IT Security, is dominating the news cycles recently, for a number of reasons. The primary reason, however, is that the healthcare sector continues to be a prime target for hackers, organized crime entities, and nation states due to the significant amount of sensitive information that they possess on their patients. When you combine the risk associated with these various pieces of information with the myriad of Federal (HIPAA), State (Breach Laws), and Industry (PCI Compliance) regulations, it can be very confusing to determine what systems and information take priority and require immediate attention. On top of this, round 2 of the famed HIPAA Audit program is in full swing. What does this mean for healthcare organizations? Well, it means that many organizations are scrambling and trying to figure out exactly what they have done in the past and what they need to do to ensure they are successful, should they be picked for the HIPAA Audit program. But where does a healthcare organization start? What challenges are they facing and what should they be doing about it? Here are some areas to consider:

• IT Risk Assessment - One of the key requirements, and an area where most organizations struggle, is with HIPAA Security Rule 164.308(a)(1)(ii)(A): Has a Risk Analysis been completed in accordance with NIST Guidelines? This is an enormous area of focus this year due to all of the healthcare breaches that have taken place but also due to the findings from Round 1 of the HIPAA Audit Program. In fact, according to the Office of Civil Rights (OCR), 66% of the entities that they audited did not have a complete and/or accurate risk assessment (scroll to slide 46). Be prepared for this as this will be a definite high risk area
• Security Awareness - In light of the recent Ransomware attacks, Security Awareness is a huge challenge for healthcare organizations. At Compass we call this process "building a culture of security." This means providing training to your employees about what a suspicious email looks like. This means when an employee receives a request from the CEO to transfer significant amounts of money to strange accounts, they are empowered to ask questions to make sure the request is legitimate. You are only as strong as your people and while technology is awesome, if the people at your organization don't adopt a "Security Mindset" you could be in for some trouble.
• Policies and Procedures - It is amazing to me that stolen laptops and unencrypted laptops continue to make the news and account for some of the largest breaches we have seen. In fact, one recent situation occurred where an NFL Teams laptop was stolen that contained the health information for thousands of NFL players. In fact, if you want to read some interesting information, head on over to the HHS Wall of Shame to read about all of the breaches that have taken place, the reason for the breach, and the number of individuals affected. Since April 5, 2016, 443,779 individuals have had their information subjected to exposure due to theft of laptops or other portable computer devices. Almost 450,000 in 2 months. Wow!
• Vendor Management - Third party providers are still one of the biggest risks to healthcare organizations out there. This is usually a Business Associate that is assisting your organization in some method. What are their security practices like? How do they assess the security of their information? What steps can you take to ensure that the sensitive information you provide them is secure? These are all questions that you should be asking to ensure that you are doing everything in your power to secure the data that you possess on your patients.

IT security is challenging, however Healthcare Security is more challenging due to the size, nature, and complexity of the services they provide. Compass IT Compliance is here to help! Contact us today to discuss your unique challenges.