Although HIPAA was enacted way back in 1996, long before cloud and mobile technologies entered the mainstream, compliance with industry regulations is more important than ever. Electronic medical records (EMR) are top targets for cybercriminals, not just because they contain personally identifiable information (PII), but also because they’re highly important to the people they belong to. When access to EMR can quite literally be a matter of life and death, they’re major targets for ransomware developers hoping to make easy money. That’s why every healthcare organization must take every necessary step to protect its digital assets and go above and beyond its compliance obligations.
1. Implement a documented training program
HIPAA has extensive training requirements concerning everyone who handles EMR, whether they work for a healthcare provider or their business associates. While HIPAA doesn’t specify how long training should be or the exact topics it should cover, it’s important to implement a regularly audited and documented training program. In the event of a breach, you may also be required to demonstrate that you made every reasonable effort to train your employees on the latest security standards. Training should cover information security, administrative measures, and social engineering awareness.
2. Adopt the principle of least privilege
While not specifically a requirement of HIPAA compliance, the principle of least privilege is a good strategy to adopt for greatly reducing your attack surface. This security model is based on the idea of granting only the permissions necessary to carry out a certain activity. In other words, unless an employee cannot do their job without access to a specific system, then they shouldn’t have access to it. Administrators should also retain the right to revoke access rights immediately from compromised accounts or devices or employees who have left the company. To add an extra layer of security, it’s also recommended that you implement two-factor authentication instead of relying entirely on passwords.
3. Regularly assess your risk maturity
HIPAA and HITECH legislation requires regular security audits, and it’s good practice to carry out annual risk assessments or whenever you’ve made any major changes to your technology infrastructure. HIPAA-compliant risk assessments should start with a complete audit of your technology environment to determine where EMR is stored, who has access to it, and which controls are in place to protect it. You will also need to determine the likelihood of various threats and their potential impact on your organization. By assigning risk levels to the various vulnerability and impact conditions, you’ll be able to locate areas needing improvement and continually improve your risk maturity.
4. Create a disaster response plan
Transparency is another key requirement of becoming HIPAA-compliant, and it’s also good practice for the sake of your reputation. Disaster response planning isn’t just about remediation and recovering from financial losses — it also includes a documented process for notifying the public in the event of a breach. The HIPAA breach notification rule requires that organizations notify any affected individuals within 90 days of a breach being discovered. Covered entities that experience a breach affecting over 500 residents in the state of their operations are also required to alert local media outlets and send a notice to the HHS Secretary of data breaches.
5. Manage your vendors carefully
Today’s businesses typically work with dozens of third-party vendors, such as cloud providers and other technology companies, many of whom handle sensitive information on their behalf. Although some vendors take a share in the responsibility, it’s ultimately up to you to choose vendors who are themselves HIPAA- and HITECH-compliant. That’s why you need a robust vendor-management strategy that gives you full visibility into who has access to your data and what they do with it. To ensure compliance across your various vendors and third-party service providers, you must have signed business associate agreements with all of them.