No organization can protect their data 100%. It's simply not possible and it would cost too much if it were. But many conscientious entities are striving to get close. These entities tend to evaluate each security control not only for HIPAA compliance but also for its ability to actually protect one of their most valuable assets-patient data. By going beyond HIPAA security compliance and examining the underlying risks that the controls address, it's easier to make decisions in an otherwise 'loosely' defined set of regulations.
By design, HIPAA has built-in flexibility to accommodate organizations of varying sizes, resources and levels of protected data. For example, a regional health system may launch a large-scale security program, to include 24/7 monitoring, a dedicated security team and cybersecurity consulting on an as-needed basis. A small-to-medium size physician's office would be hard-pressed to match this kind of effort, but the Office for Civil Rights (OCR)-the agency responsible for HIPAA security compliance enforcement-appreciates how organizations need to make decisions based on practical constraints and risk levels. However, at the end of the day, every organization must still meet the standards.
In other words, how you structure your HIPAA security compliance program is largely up to you. So how do you make decisions about what to do?
Weighing Your Data Risk Tolerance
Consider each compliance requirement related to safeguarding workstations and how it relates to your own environment.
Let's say you are a small office with only one reception area and your providers chart on a laptop. For you, setting up a strong passwords, encrypting the laptop hard drives, and enabling password protected screensavers may be all you need to do to meet this requirement and keep access reasonably controlled. You will most likely have some degree of familiarity with the people who are coming through your doors, and a small number of workstations is relatively easy to monitor.
However, if you are a large hospital with hundreds of workstations rolling around hallways and in and out of patient rooms, any number of unsavory characters could peek over shoulders or steal data from unattended workstations. In this case, you may want to consider additional controls to include physically locking the workstations to the rolling carts, screen filters that greatly restrict the angle at which data can be viewed, and possibly proximity based multifactor authentication.
At first glance, choosing a higher level of data security may appear to be cost-prohibitive. But we consistently find that not to be the case. The indirect cost of setting the bar too low on your security controls doesn't often show up on the books. Employees lose time at work when they can't get into the system. The IT department fights fires with quick fixes that are 'plugged in' just to meet compliance, creating an unwieldy patchwork that's difficult to manage. And don't forget to factor in the loss of public trust and good will when a major breach occurs. If you do a cost/benefit analysis on each security control, you may find that stopping at 'meets compliance' puts you at greater risk than your business can tolerate.
Whatever you decide, write it down. Documentation is a key component of the HIPAA Security Rule. If you justify each decision in writing, the OCR will take that into consideration should you be chosen for an audit.
HIPAA Data Security Tips
HIPAA rules and regulations are multi-faceted and complex. By assigning an employee as the resident expert, you not only increase your in-house skills, you will also be able to recognize economies-of-scale by taking a more centralized approach. Of course, having a named security official is a requirement of the HIPAA Security Rule. This could be a dedicated role or part-time, depending on the size of your organization. Among other duties, your security officer will be responsible for conducting or overseeing the regular security risk analyses, testing and validating controls on an ongoing basis, tracking security incidents and breaches that may have occurred, ensuring that employees are receiving regular awareness training and security reminders, and making sure everything is written down.
Here are some overarching action items that HIPAA calls on you to do:
- Identify where patient data resides. Asset inventory is a critical part of HIPAA compliance, but knowing what you have is important for your business operations, too. Data can be stored on the server, multi-function copier/printers, spreadsheets, mobile devices, external media, and with third parties. The initial cataloging of your inventory can be burdensome, but it also gives you the opportunity to delete and discard in a secure fashion everything you no longer need.
- Secure your data. Most organizations already have basic security technology in place such as firewalls and anti-virus software. But what you will also want to consider is access control, data encryption (where appropriate), system monitoring and regularly scheduled reviews of all system logs. This last one often gets overlooked. HIPAA requires you to go beyond just installing the tools; someone needs to be responsible for keeping an eye out for anomalies, attempted intrusions and otherwise undetected breaches.
- Assess physical security. Be a detective and imagine all of the ways a thief could get to your data as well as PHI in paper form. Is the server room locked? How about filing cabinets full of medical records? How many employees have access to it? Is the key code changed every time an employee moves to another department or leaves the company? Also consider your workstations. Visibility should be limited to the people who are using them. Monitor the logistics of the facility and areas that might pose a risk to keeping patient data secure.
- Make decisions on mobile access. Organizations with the highest level of security controls often neglect to extend that stringency to mobile devices. Without giving it a thought, employees use their phones to check emails and transfer documents. Even worse, they'll use a phone in a restaurant and accidentally leave it on the table when they leave. Strict policies must be decided upon and communicated to the entire staff. Types of data that can be obtained wirelessly must be considered, and personnel should monitor their mobile devices at all times.
- Train your staff regularly. Social engineering techniques are quite sophisticated and many people fall prey to them. Remind your staff to be suspicious and give them examples of what a ploy might look like. But even more common is simple neglect. A lot of security breaches are the result of mistakes made by people who aren't paying attention. HIPAA requires that everyone in the organization receive regular training on how to handle sensitive data and to be aware of actions they might be taking to jeopardize it.
- Understand relationships with business associates. Solicit help from the accounting department to compile a list of all business associates. Review their contracts. Make sure your business associates have demonstrated to your satisfaction that they are compliant. If they are found by the OCR to be non-compliant, the subsequent investigation could include you.
Culture of Preparedness
With the upcoming OCR audits, a frighteningly large number of organizations are in scramble mode.
But some forward-thinking organizations have already instituted a culture of preparedness. These entities have taken a more conservative approach to securing their information systems by treating their data as a valued asset. Should they be audited, they will most likely fare much better. And of course, that means their patients will, too.
For more information on HIPAA security requirements, and the OCR Audits, check out LBMC's OCR Audits Demystified: Healthcare Security Compliance Guide.
Mark Fulford is a shareholder in the LBMC Information Security practice group in Brentwood, Tenn.
As featured in Advance Healthcare Network.