David’s first day at his job was a success. As the newly appointed Chief Technology Officer at a growing orthopedic practice, he managed the networks, computers, and electronic health records system. All systems were strong and running smoothly, and all data was secure. His challenge was to align all the systems with the fast pace of growth.
However, his second day on the job was a disaster after the office manager alerted him to an email glitch that spread through the network, bringing down the whole system.
By the end of the day, David faced the grim reality that the network had been breached and protected health information (PHI) had been compromised. The server had been hacked, and David took the email, telephone, and EHR systems offline to limit the damage.
The full extent of the losses wouldn’t be known for weeks after an investigation. Meanwhile, staff had to resort to traditional methods, using paper and pen to maintain records as they navigated through the system downtime.
The investigation needed to identify the patients whose data had been breached so they could be notified.
What went wrong? David is a talented IT manager, and his orthopedic practice has state-of-the-art equipment and software. He needed to understand what happened to get them back in operation and prevent it from happening again.
Ultimately, the investigation uncovered that the breach happened after a staff member clicked on an attachment in an email that looked legitimate to the untrained eye. The link introduced malware that infected the network.
After the dust settled on the disastrous security breach, David reviewed their HIPAA compliance and cybersecurity practices.
Four Keys to Success for HIPAA Compliance
There is no one-size-fits-all solution. That being said, there are four elements to a successful compliance program.
- Policies and Procedures
- HIPAA Risk Management
- HIPAA Training
- Teamwork
Use these key elements to strengthen your compliance and keep data secure.
HIPAA Policies and Procedures
These are a baseline requirement, and you may already have them.
However, be sure the policies and procedures are up-to-date and sourced from the Code of Federal Regulations (CFR). HIPAA laws change, so if your policies have not been updated recently, find out whether they are current.
HIPAA Risk Management Starts by Identifying Risks
Whether starting from scratch or fine-tuning an existing program, the best first step is a HIPAA Risk Analysis. This reveals weaknesses in your organization that can threaten the privacy and security of PHI. Every organization has weaknesses.
Only when you identify risks can you manage each by taking steps to reduce its level.
Assessment of the security of PHI in electronic form (ePHI) is required by the HIPAA Security Rule. However, risks to the privacy and security of your PHI are not limited to ePHI. So, you should perform a full HIPAA Risk Analysis.
A HIPAA Risk Analysis will:
- inventory the locations of PHI, both electronic and non-electronic; then assign levels of risk to the privacy and security threats and vulnerabilities of the PHI and make choices about how to address those risks.
- include a list of HIPAA business associates, or subcontractor business associates, and verify you’ve conducted due diligence with each
- include a workforce list and verify they’ve received HIPAA training.
- answer all the questions required by the HIPAA Security Rule.
- align with current guidance from the National Institute of Standards and Technology (NIST).
- include a contingency plan to manage operations after a data breach.
The Best HIPAA Training Fits the Audience
The workforce is both the first defense and potentially the weakest link in maintaining data security. Untrained workers make mistakes, so be sure to provide training: basic HIPAA training and cybersecurity awareness.
Staff have different levels of exposure to PHI depending on their work. Everyone should have basic HIPAA training; beyond that, they need relevant training that covers their specific duties to protect the PHI they use or disclose to perform their jobs.
Remember to include senior management and the Board of Directors. Responsibility for HIPAA compliance starts at the top and is shared throughout the organization.
Everyone Needs Cybersecurity Awareness Training
Cybercriminals targeting healthcare continue to use phishing through email and voice communication as a preferred attack method. Fortunately, cybersecurity experts from the FBI and the U.S. Department of Health and Human Services provide resources to help defend against the latest versions of these threats.
Teamwork Builds a Culture of Compliance
HIPAA compliance is not a one-person job.
The strongest HIPAA compliance program includes a team committed to privacy and security.
- Senior management sets the tone and secures resources for the program.
- IT staff monitor the networks, update software, and manage user authentication and access controls.
- Human resources help with staff engagement, training, and communications.
- Patient-facing staff communicate clearly and sensitively while protecting patient privacy.
A culture of compliance encourages questions and reports of suspected issues that may need to be addressed before they cause bigger security threats.
Your Keys to Success for HIPAA Compliance are Unique
The most effective HIPAA compliance is tailored to your organization’s unique needs. After you’ve adopted current policies and procedures, your priority is an updated risk analysis to decide where to place your resources. Do the risk analysis at least once a year, but pay attention to HIPAA risk management year-round. Engage the workforce to align with privacy and security and encourage their questions.
David’s first priority was HIPAA training because the data theft was caused by a phishing email. After completing a new risk analysis, he focused on user access, authorization protocols and network monitoring, all required from the risks uncovered in the analysis. His team is now committed to building a stronger, improved HIPAA compliance program by managing risks year-round. David has made a cyberattack against his organization much more difficult. You can do the same.