HIPAA compliance is a necessary part of operating in the healthcare field. While you might fulfill other requirements to stay in compliance, your IT system may not make the grade. Here are a few areas to pay close attention to when you’re evaluating your infrastructure.
Administrative Measures
Start with the policies and procedures that govern your healthcare company’s IT practices. You need an organization that understands the importance of protecting patient health information, the level-appropriate ways to do so and what they need to do to adhere to HIPAA guidelines.
You should have a thorough understanding of the risks facing your healthcare organization and a strategy for managing them. If breaches occur, then a complete action plan leads you through the process of discovering what went wrong and how to fix it.
Administrative measures should define the consequences for unauthorized access by employees, what employees should have access to this information to begin with and determining who is responsible for keeping the electronic records secure.
Training is also essential to maintaining HIPAA compliance. Users may not realize that they’re behaving in a way that compromises patient data and other sensitive information. A comprehensive security training program covers what each staff member needs to know so they can do their part.
Another important administrative measure is a disaster recovery plan. Your patient information is at risk in these unexpected situations, so you need a concrete plan on how you protect your data, the restoration method, preventative measures to stop attacks of opportunity and other security strategies.
Physical Data Security
Some organizations may spend a lot of time focusing on software methods for protecting their data, but forget about the physical security. For HIPAA compliance, you need to cover both.
Some areas to address for your physical data security include:
- Server rooms: Who can get in and out of the rooms with equipment that physically stores electronic health records? Is there a security system in place that prevents people from entering and exiting the room without authorization?
- Emergency plans: What happens to the hardware in the event of an emergency, such as natural disaster?
- Workstations: Where are your workstations located, and how do you prevent unauthorized users from logging into the accounts?
- Data access tracking: Are you tracking who accesses and changes patient information? Start creating a paper trail.
- Disposal process: The hard drives that you store patient records on can’t simply be thrown in the trash. You need a way to ensure that no data can be recovered after you throw them away.
User Access Control
Healthcare organizations weather frequent attacks by cybercriminals due to a combination of poor IT security measures and valuable data. Ransomware, which is an attack that locks you out from your computer systems until you pay the ransom, is prevalent due to the life and death nature of the patient information you handle.
One reason why ransomware wrecks such havoc is that users have access to more system functionality than they should. A receptionist entering patient information into your EHR system doesn’t need an account that can install programs on it.
User access control limits the system privileges of all users to maintain security. You also stay on top of active and inactive accounts, as well as those owned by external businesses. Hackers often look for low-hanging fruit in their attempts, and getting administrative access to a system through a front-line employee or external partner is an easy way to compromise your system.
Strong password policies, with frequently changing, complex passwords, can also limit brute force attacks that try to figure out login information in your organization.
Your healthcare business relies on its IT infrastructure for many business processes. Make sure that it meets HIPAA standards to avoid fines and ensure that your patients don’t have to worry about their data being mishandled.
Sources:
https://www.hhs.gov/hipaa/for-professionals/security/index.html
