Cybersecurity in healthcare has reached dizzying risk levels. Last month’s ransomware attack on Change Healthcare still reverberates, affecting thousands of providers and millions of patients, primarily those waiting for prescriptions. We still do not know the full extent of the damage to the healthcare sector, and experts believe the disruptions will continue for many weeks.
More needs to be done to bolster cybersecurity defenses. The U.S. Department of Health and Human Services (HHS) recently issued new guidance to help healthcare organizations understand and defend against cybercriminals’ bold, aggressive tactics targeting healthcare. HHS also plans to use HIPAA audits and increase enforcement to reinforce patient privacy and information security.
The updated guidance and the possibility of audits are opportunities, not problems. Most healthcare organizations need to make more cybersecurity preparations, and most need help doing so.
The HIPAA rules are a blueprint to protect your organization and prevent ransomware attacks.
Phase 3 Audits are on the Horizon
The Office for Civil Rights (OCR) director confirmed to Information Security Media Group (ISMG) last month that OCR plans to begin auditing regulated entities later this year. This will be OCR’s third phase of HIPAA audits since 2011.
The topics covered in the audits are not a mystery because OCR has provided much information about the questions and documents requested. These questions and requests are known as the “HIPAA Audit Protocols.” OCR has also published a report about the results of the last round of audits, known as Phase 2, conducted in 2016-2017.
Assume you will be audited and take action today to prepare.
Phase 2 Audits Revealed More Failures than Successes
The biggest failure of covered entities and business associates was the inability to conduct a HIPAA risk analysis and risk management.
Generally, covered entities demonstrated compliance in only two of the seven areas audited: (1) timeliness of breach notification and (2) prominent posting of the Notice of Privacy Practices on their websites.
However, covered entities did not comply with the individual right of access requirements and content of breach notification provisions. The report also explained that covered entities still struggle to implement HIPAA’s risk analysis and risk management requirements.
Business associates were also audited. OCR noted that the business associate audit ratings were similar to those of covered entities in security risk analysis and risk management.
Follow the HIPAA Security Rule
Using the Security Rule requirements is the fastest way to prepare for an audit and bolster cybersecurity defenses. Please use the latest guidance from the National Institute of Standards and Technology (NIST) and HHS and review the resources available at StopRansomware.gov.
Conduct a complete HIPAA risk analysis and refresh cybersecurity training.
Experts remind us that software vulnerabilities remain the #1 attack vector in healthcare, so all healthcare organizations need to patch vulnerabilities rapidly. As soon as you learn about a patch, implement it.
The HIPAA E-Tool® Solves the Audit Problem
Whether you need up-to-date policies, a risk analysis-risk management plan, or training, The HIPAA E-Tool® can help.
The HIPAA E-Tool® also contains all 180 audit protocols published by OCR after the Phase 2 audits. With clickable links from the audit questions to your policies, an audit is much easier to manage.