by Ali Pabrai, CEO, ecfirst and Marshall Busko, Senior Director, Information Technology Solutions, Intalere
It is not a matter of if a healthcare organization, be it a covered entity or a business associate, will experience a cyber breach, it is a matter of when. The FBI warns that the healthcare sector especially is vulnerable to cyber-attacks. The 2017 threat profile that a healthcare organization’s compliance and cyber security program must be prepared to address include IoT, ransomware, DDoS and so much more. Healthcare has experienced 340% more security incidents and attacks than other industries, and received more HIPAA fines in 2016 than ever before, and we are likely to see a lot more of the same in 2017.
Based on this very sobering information, every healthcare provider must ask the following question: how prepared is their organization from cyber-attacks to compromise personally identifiable information (PII) or confidential data such as electronic protected health information (EPHI)? And moreover, what can organizations do to improve and prepare for data breach prevention or post breach remediation steps? Let’s look at Seven Steps to HIPAA Compliance.
Step 1: Assign Security Responsibility
The process begins with assigning security responsibility. An organization must develop very specific job descriptions for privacy, security and compliance professionals. Part of this involves identifying the Information Security Officer and establishing reporting and accountability.
Step 2: Conduct Risk Analysis
A thorough, comprehensive security risk and vulnerability assessment is a necessary starting point for any program. In conducting the risk analysis, entities should list every requirement of the HIPAA Security Rule, including every safeguard, standard and implementation specification, in a risk analysis format that identifies an organization’s state of compliance with the requirement, recommended remediation activity and associated risk priority. They should also seek to identify contingency requirements including a business impact analysis.
Step 3: Develop Security Strategy and Policies
With the foundational elements set, the next steps are to begin to set strategies and policies, including the overall plan and policy documents. An important element includes the development of incident and breach management plans, policies and procedures.
Step 4: Remediate – Corrective Action Plan (CAP)
Many of the recent examples of data breaches give us insight into some of the tactics that need to go into a remediation or corrective action plan. A recent major bank breach was discovered as a result of a routine scan. It illustrated the ability of the organization to actively monitor critical systems. In another huge healthcare case, the database that was accessed was not properly encrypted. Those are two of the recommended tactics as part of an overall Corrective Action Plan (CAP).
Step 5: Update Business Associate Contracts and Other Agreements
The review and update of all Business Associate Contracts (BACs), as well as the list of business associates (BAs), is also an imperative step to the process. According to HIPAA, a business associate is a person or entity, other than a member of the workforce of a covered entity, who performs functions or activities on behalf of, or provides certain services to, a covered entity that involve access by the business associate to protected health information. A business associate also is a subcontractor that creates, receives, maintains or transmits protected health information on behalf of another business associate. Step 5 is important, and we must think of security in the context of a supply chain. As a business associate may sub-contract to another business associate, your organization’s HIPAA compliance program must think of security as the security of EPHI in the business associates’ supply chain.
Step 6: Train the Workforce
A security plan can only be as good, ultimately, as the people who are tasked with implementing it. Healthcare providers must conduct security training for all members of the workforce, with training content addressing regulatory mandates and organizational policies. A strong training program also consistently communicates security requirements with security reminders, posters, etc.
Step 7: Evaluate and Audit
Evaluation and audit should not be viewed as the final step, but just another step in a continuous loop of constant improvement. There should be constant assessment that all risks and vulnerabilities have been addressed, accepted and remediated.
To learn more, check out our recent white paper detailing the Seven Steps to HIPAA Compliance.