Are you sure you and your vendors are HIPAA Compliant?

An organization who is HIPAA compliant has completed the appropriate audits, documented appropriate policies, had a qualified expert conduct a risk assessment, trained employees on how to handle patient data, ensured vendors were HIPAA compliant and enforced diligent security practices. Does this sound like your business? Chances are that if you are reading this blog, you are not so sure.
​
Unfortunately, with HIPAA you are either compliant or not, and most businesses are failing at the task. In this blog we will cover the fundamentals of compliance and key areas where organizations are having trouble.

The basic requirements are always the same, however the security implementations can vary. 

• Conduct 6 annual audits 
• Complete a proper Security Risk Assessment 
• Document security deficiencies
• Create a remediation plan for security gaps 
• Ensure all staff members have annual training
• Document policies and procedures
• Have BA Agreements in place and managed 
• Document process for handling security incidents

See Tandems full HIPAA Audit Checklist [here]

One of the biggest risks, in my opinion, are Business Associates. Each vendor who handles or has a high chance to come into contact with patient data, should have a Business Associate Agreement (BAA) with the healthcare practice. According to the Department of Health & Human Services (HHS), “The Privacy Rule requires that a covered entity obtain satisfactory assurances from its business associate that the business associate will appropriately safeguard the protected health information it receives or creates on behalf of the covered entity.” Documenting these assurances is also required  (see this [link] for contracts examples).

Ultimately, this means healthcare organizations are responsible for the security of their vendors. Make no mistake about this requirement, it is enforced and according to multiple surveys between 30% and 63% of breaches are caused by 3rd parties. Managing your vendors is a must, are you?

See the following cases:
North Memorial Health Care of Minnesota
The Center for Children’s Digestive Health (CCDH)

The second most neglected area  for HIPAA compliance is the security risk assessment. While risk assessments may seem like a requirement that anyone can do, the average person won’t look at a business the same way an attacker does.  Think about it this way, would you have a family physician conduct brain surgery on you?

*Warning long video ahead*
Watch a few minutes of [this video] from a security conference. Although lengthy, the video draws a clear distinction in the thinking of an attacker versus everyone else. We all look at the world through different lens and without a doubt you should have an expert look at your business through their lenses.

How do you know if your expert is truly an expert? Ask about their experience handling breaches, conducting investigations, ethical hacking, or forensics. Certifications are a great baseline as well. When paired with experience, certifications such as GCIA, OSCP, or GCIH can establish that a professional has the fundamental knowledge to properly assess the security practices of an organization.

Why is this task important to get done correctly? A true expert will know current attack methods for your industry and be able to tell how your security will hold up against an attack. They will also know the best technologies and practices to fill in your security gaps. I have lead ethical hacking projects for multiple Fortune level businesses. As a cautionary tale, these companies thought they were sealed up tight; however, within a matter of hours or days, I had access to any type of data I wanted; medical records, bank accounts, you name it. The moral of the story is, cyber security experts look at things differently, let them do what they are good at.

Bringing this post back to healthcare offices, why is this important to you? Without a Security Risk Assessment completed properly and by a qualified person, the HHS can charge your business with failure to follow best practices and fine your business. 
​
See the following cases:
Catholic Health Care Services of the Archdiocese of Philadelphia
The University of Washington Medicine (UWM)

Many medical practices and their vendors are not compliant with HIPAA regulations. The problem is not for a lack of trying but rather a lack of knowledge. Having a true expert assists with compliance needs protects your practice during an audit, reduces the security risk to your patients, and typically saves money.
 
For a HIPAA check list, go [here].
To get in touch with our experts at Tandem Cyber Solutions, call us at 843-309-3058
Check out our HIPAA services [here]