Unfortunately, with HIPAA you are either compliant or not, and most businesses are failing at the task. In this blog we will cover the fundamentals of compliance and key areas where organizations are having trouble.
What exactly are the requirements?
The basic requirements are always the same, however the security implementations can vary.
- Conduct 6 annual audits
- Complete a proper Security Risk Assessment
- Document security deficiencies
- Create a remediation plan for security gaps
- Ensure all staff members have annual training
- Document policies and procedures
- Have BA Agreements in place and managed
- Document process for handling security incidents
See Tandems full HIPAA Audit Checklist [here]
Two key areas often neglected
Business Associate Agreements
Ultimately, this means healthcare organizations are responsible for the security of their vendors. Make no mistake about this requirement, it is enforced and according to multiple surveys between 30% and 63% of breaches are caused by 3rd parties. Managing your vendors is a must, are you?
Security Risk Assessment
*Warning long video ahead*
Watch a few minutes of [this video] from a security conference. Although lengthy, the video draws a clear distinction in the thinking of an attacker versus everyone else. We all look at the world through different lens and without a doubt you should have an expert look at your business through their lenses.
How do you know if your expert is truly an expert? Ask about their experience handling breaches, conducting investigations, ethical hacking, or forensics. Certifications are a great baseline as well. When paired with experience, certifications such as GCIA, OSCP, or GCIH can establish that a professional has the fundamental knowledge to properly assess the security practices of an organization.
Why is this task important to get done correctly? A true expert will know current attack methods for your industry and be able to tell how your security will hold up against an attack. They will also know the best technologies and practices to fill in your security gaps. I have lead ethical hacking projects for multiple Fortune level businesses. As a cautionary tale, these companies thought they were sealed up tight; however, within a matter of hours or days, I had access to any type of data I wanted; medical records, bank accounts, you name it. The moral of the story is, cyber security experts look at things differently, let them do what they are good at.
Bringing this post back to healthcare offices, why is this important to you? Without a Security Risk Assessment completed properly and by a qualified person, the HHS can charge your business with failure to follow best practices and fine your business.
See the following cases:
Catholic Health Care Services of the Archdiocese of Philadelphia
The University of Washington Medicine (UWM)
Co-founder + Ethical Hacker
Micheal has over 13 years combined experience in Information Security, Information Technology, and Physical Security. He has tackled some of the most daunting certifications in the industry and his passion for the cyber world is unparalleled with exposure to virtually every industry. He continues to hone his skills in Incident Response, Penetration Testing, and Consulting. Recognizing the need for change in cyber security, he volunteers to help entrepreneurs, veterans, and recent graduates.