You want to be HIPAA-compliant? You need to perform a risk assessment with the help of a Certified HIPAA Professional (CHP).
It's impossible to watch the news without weekly revelations of some new data breach – Target, Equifax, the WannaCry virus, and even teddy bears have been in the news.
As cybercrime continues to pay, attacks and breaches will continue and will especially affect unprepared businesses.
One industry is squarely in the crosshairs of hackers – healthcare.
Healthcare providers, payers, clearinghouses, and business associates and their subcontractors all must comply with HIPAA.
There is no HIPAA-in-a-box solution!
There are technologies that can help you implement your HIPAA-compliance strategy, but you can't buy HIPAA compliance.
And breaches that affect patients are starting to cause real pain for organizations. A quick look at the Healthcare IT News site reveals a growing number of fines, including a $2.5 million fine for CardioNet. A stolen laptop from an employee's car contained data for 1,391 patients. The company had not implemented – or even completed – plans for safeguarding protected health information (PHI).
Do you have $2.5 million to spare on paying a fine for policies you could implement for less than that?
Assess Your Risk
Many companies don't know how at risk they are – a lot? Hardly at all? Somewhere in between?
That's why a cybersecurity assessment is so useful. By discovering gaps and cracks in your security and potential to lose PHI (personal health information) to a data breach, you can prioritize and take steps to present a nearly-impenetrable wall to hackers (I say “nearly” because there is no such thing as 100% information security – it doesn't exist, regardless of what advertising and marketing might try to convince you of).
How important is assessing risk? The HIPAA Security Rule mandates it, “Organizations must conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of its electronic PHI.”
This isn't just an exercise performed on paper or whiteboards, a technical review needs to be completed.
ecfirst, a provider of compliance and security training and solutions, outlines seven steps to enterprise HIPAA compliance:
- Security responsibility
- Risk analysis
- Security strategy and policies
- Remediate
- BA supply chain
- Training
- Evaluate
Assessing Risk: Getting Started
The first step is to gather documentation (a partial list includes):
- Security plan
- Any previous risk analysis
- Vulnerability planning and most recent scan results
- Network penetration testing policy and procedure and most recent results
- Encryption measures
- User access rules and processes
- Physical security
- Data backup strategy and procedures
- PII policies and procedures, including staff org chart with compliance responsibilities
Risk Assessment: What Needs to Be Assessed?
Great, you're thinking. What specifically do I need to assess? Here's a list:
- Document regulations and standards that your business is mandated to comply with (privacy, security, Federal or state)
- Assess policies
- Assess procedures
- Review asset management process and documents
- Review vendor agreements
- Assess deployed security controls
- Identify missing security controls
- State of encryption implementation
- Review cloud security for deployed apps and PII/PHI
- Conduct a technical vulnerability assessment for both external and internal threats
- Conduct wireless assessment
- Review firewall architecture and configuration
- Review mission-critical applications and their security
- Assess requirements for penetration testing
- Evaluate risk management program
- Assess quality and depth of security awareness training
- Review information security skill capabilities
- Assess executive priority and reporting structure for security and compliance
Next Steps
I know; the preceding is an intimidating list, but a Datamax Certified HIPAA Professional (CHP) can most certainly help!