Part of my role as Chief Technology Officer at Applied Tech, is to stay current on security and compliance practices required of our customers. On April 26th, I attended the HIPAA COW spring event in Wisconsin Dells where healthcare, privacy, and technology experts get together to discuss current trends and news in HIPAA regulated industries. As usual, the event was very informative with some great takeaways. Even if you are not required to follow HIPAA, these takeaways can provide great value to your organization.
Understand your risks:
- An annual security risk assessment is required under HIPAA. This is a critical first step in understanding what improvements you should focus on first. As part of the assessment process it is critical to perform a risk analysis of the identified risks, and document a plan to either avoid, mitigate, transfer, or accept those risks.
- Create a plan and manage to it. After your assessment is complete and risk has been assessed, create a plan and manage to it each month. Work on critical issues as much as possible and slip in simple changes if you can. The key is implementing change at a pace the organization can tolerate.
- Review privileged accounts annually. Privileged accounts are ones that have system administration rights and typically are only available to a small number of people. Ongoing management of and alerting on changes to privileged accounts in your systems is vital to maintaining a secure IT environment.
Avoid fines under HIPAA:
- Conduct an annual risk analysis. Auditors are looking for a serious approach. As talked about above, an assessment and plan is a great start to improving your security.
- Encrypt devices and media. Encryption is a great way to safeguard ePHI on mobile media. In case of loss or theft, encrypted devices and media is a major deterrent for loss of data. (It is also very easy to implement this today!)
- Ensure business associate agreements are in place where applicable.
If you are looking for more information on how to increase your security:
The CSA 405(d) Task Group recently developed a publication called Health Industry Cybersecurity Practices (HICP). Part of this publication, called Technical Volume 1, discussed 10 cybersecurity practices that are focused on smaller health care organizations or business associates that have limited resources for managing cybersecurity practices. This publication is vendor agnostic and can help these smaller organizations implement security improvements that will help mitigate the most likely cybersecurity threats today. If you are looking for a more abbreviated source of information check out this blog: 8 ways to stay more secure and compliant!
Applied Tech is an expert in HIPAA privacy when it comes to technology and has designed specific Managed Security packages that you can deploy to stay compliant, secure and fine free.
More about Kris:
Kris Cears has been with Applied Tech since 2002 and has over 18 years in the IT industry. For many years he provided direct support for customers, along with implementing infrastructure projects. He then served as Director of Technical services and oversaw the delivery of Managed Services and Infrastructure Professional Services. He has recently started to focus on improving security both internally at Applied Tech and for our customers. He is certified in many technologies such as Microsoft Server, VMware and HP ProCurve Networking.