Most folks in healthcare think that if they’ve got HIPAA security covered, their offices are safe from cyberattacks. While HIPAA security does a good start at keeping patient records secure from breaches, it is not exactly the same as cybersecurity—especially when it comes to protecting your office from the latest ransomware attacks.
Nearly three quarters of cyberattacks in healthcare resulted even though the business had passed HIPAA audits with flying colors. [Note: HIPAA security assessments are still important to your practice or office to ensure you are abiding by government regulations. If you’re not sure about your status on HIPAA, cybersecurity experts strongly recommend you evaluate your network to ensure compliance.
While HIPAA does go a long way to protect patient data, it remains a checklist of To Do items that normally are only addressed occasionally or that don’t get implemented with your organization’s specific network environment and team in mind.
What HIPAA security falls short on is making sure the entirety of your business is protected from cyber events—not simply measures addressing how to protect health information.
Because the majority of attacks on healthcare persist even when recommended HIPAA security measures are heeded, healthcare needs ways to evaluate what they should do to prevent cyberattacks and data breaches in addition to compliance.
Today, I want to spend some time talking about why your organization might want to consider a more holistic cybersecurity approach—one that encompasses HIPAA compliance concerns—rather than simply passing an annual HIPAA assessment or audit and calling your office secure.
Why Compliance Is NOT Enough
Even protecting your patient information nowadays seems to fall way beyond the scope of what HIPAA originally outlined. While your EHRs (that is, electronic health records) were once thought were the single source of sensitive information in healthcare offices, data now stretches far beyond EHRs—into seemingly black holes of big data and analytics.
In addition to big data, offices are either sharing their information or having information maintained and curated by outside parties (known by HIPAA as business associates), leading to even greater chances of patient data breaches—simply because so many hands have access to your records.
Because of the great expanse of shared records amongst business associates, most healthcare offices have made sure that they are protecting the privacy of their patients—by expending the majority of their resources ensuring that Social Security Numbers and other identifiable information remain de-identifiable in the event of a data breach.
What most healthcare offices are doing to maintain HIPAA standards? Instead of actually protecting patient data, they are spending money making sure that individual records do not have identifiable information on them.
The problem with doing this is that even though data may de-identifiable, if someone were able to gain access to an EHR through stolen credentials—maybe through an unauthorized login, successful phishing attempt, or stolen device—they probably can piece together the puzzle of who a record belongs to relatively easily.
Cross-referencing de-identified data is relatively straight forward to a hacker that can penetrate corporations and hospitals, or that has the capacity to encrypt and shut down entire local governments.
What your office needs is a more holistic approach to healthcare security.
Beyond HIPAA Security and Privacy rules, shouldn’t your office have a sure-fire way of safeguarding patient data—along with data related to your business and team—and eliminating you as an easy target for cyberattacks?
Instead of thinking about security as checks in boxes, many experts recommend business (especially in healthcare) change their thinking to make security part of your routine processes. From a management prospective, here are 7 safeguards that help deliver holistic cybersecurity across your entire office’s network:
Security management—someone on your team should take charge in evaluating your office’s security risks. To be compliant AND secure, experts often recommend evaluating your security through a variety of reviews, including risk analyses, ways to manage your risks, and a complete review of your information systems. The easiest way to evaluate risk is through a network security assessment.
Protecting your workforce—providing your team with clear instructions and reminders on how to keep patient data (and their own personal information) secure helps ensure that every single team member is on board with your security. Consider finding ways to make security part of routine habits.
Information management—Make sure someone on your team (or your IT department) to supervise and delegate privileges to those that need access to information. When someone leaves your organization, you will also need to revoke access privileges. Who is currently making sure the right people have the right access to your sensitive data?
Security awareness and training—while HIPAA requires regular (typically annual) security training for your staff, most of the time this training goes in one ear and out the other after a quiz or assessment is satisfactorily completed. The reason for this? Most training is not sticky. Consider an approach where team members are reminded of risks, are rewarded for learning from their mistakes, and where people are encouraged to keep security hygiene (password management, software use, web browsing) a part of your organization’s culture.
Contingency plans—even if you train and remind your staff of how to protect sensitive information, keep your network secure by maintaining updated patches and are actively monitoring your network for suspicious activity, there’s always a chance that something may happen. Having tested plans that will recover your office from backups in the event of a disaster—and following a comprehensive disaster recovery procedure and initiate emergency-mode operations— is crucial to surviving any unexpected events.
Access controls—it’s become even more important that your team members validate who they are when accessing sensitive information. Your office should consider ways to ensure that when someone logs into secure areas of your network that you make sure they appropriately identify themselves. If they are away from their desks, you should have ways to automatically log them off. You should have ways to make sure sensitive data is encrypted at most times and identify unencrypted data on your network or on individual work stations where it shouldn’t be.
Transmission security—you need to have methods to ensure that data being moved across your office or to other offices is secure at all times. This often entails making sure that the data you are sending is complete (i.e., its integrity is intact), the data is encrypted, and that you have put in place safeguards against unauthorized access of electronic PHI (or other sensitive information) while it is in transit to a business associate.
With technological advancements since HIPAA rules were created, the landscape of healthcare cybersecurity has gotten much more complex. Many more devices are connected on your network, and many more people are figuring out exploits to hack into those devices, making cybersecurity a more critical component of every healthcare office—far beyond simply making sure you meet compliance obligations.
Are you sure you’re doing enough to keep your staff and patients safe from cyberattacks? Contact Us TODAY for a free network security assessment.