If HIPAA is not something you have experienced in the past, but you are required to comply with HIPAA, it is likely in your future. HIPAA compliance is absolutely essential in a world where data breaches are becoming the norm rather than the exception. In fact, the Ponemon Institute estimates that nearly 90% of healthcare organizations have suffered a data breach, costing the industry around $6.2 billion over the last two years! If that is not enough to motivate you to comply, how about a fine as much as $50,000 per violation?
With that in mind, we’ve put together this primer on what you as an executive can review with your IT team or vendor to make sure your technology practices are compliant with HIPAA. This is by no means an exhaustive list of all HIPAA requirements, but rather a quick guide to get you moving toward compliance from an IT perspective.
As you read, keep in mind that these requirements will apply to everyone who accesses electronic patient health information (ePHI) that is in your custody: Your staff, other doctors, insurance providers, vendors, and patients themselves! Also, know that most of the requirements are currently not very specific (i.e. there are no specific requirements around passwords or the type of antivirus software you should use), just that these measures need to be in place. However, as HIPAA audits continue, the details will very likely follow in policy updates!
Perhaps the single most important requirement of HIPAA is that all data needs to be encrypted, both in transport and at rest. Here are our recommended best-practices for encryption to comply with HIPAA:
- Data at rest: Stored data, whether in a file, a database, or a backup must be encrypted; this also applies to portable storage such as CDs and USB drives that are not encrypted by default
- Hard drives: Hard drives for any devices in your organization should be encrypted
- Data transfer: Ensure that all methods of data transfer (including email, patient portals, and other websites and applications) are encrypted when patient information is involved
- Certificates: Any websites you use to manage or transfer ePHI should have digital encryption certificates
- Email: Secure and encrypt your emails so they are sent securely when ePHI is involved (this includes email or messaging done via a portal or website as well as your normal email client)
- Locked devices: All devices that store or access ePHI (including employees’ personal mobile devices) should be secured with a passcode
- Remote access: Anything accessed via a mobile device or laptop using an app should be done through a VPN or other secured method
To put it simply, with HIPAA you need a way to verify that a user is who they claim to be. Policies must be in place so that every individual has a unique identifier and credentials for all of your systems storing ePHI. Your access control policy should include:
- A strong password policy: Passwords should have length and complexity requirements, and be changed on a monthly basis if possible
- No shared accounts: Users should never share usernames, passwords, or accounts; employees should not be using each other’s dedicated machines either
- Timed logouts: Users should be logged out of a system automatically after a predetermined period of inactivity (we recommend 5–10 minutes)
- Revoked privileges: There are a few equally important aspects to this policy to ensure users can no longer access ePHI after termination:
- Communication between HR and IT is essential to ensure terminations are identified
- Institute monthly or quarterly audits to ensure there are no “ghost” employees in the system and that no user has more access than they need
- Admin accounts must be removable from the system
- Ensure that external users (vendors or other partners) can be audited and removed as well
- Firewalls and security: Appropriate firewall rules and security measures must be in place to limit external access to ePHI
- Auditing: Your directory system and all other systems should have the ability to audit, track, and report historical access
Data Backup and Recovery
You need to have the ability to recover data in the case of any issue: a system crash, accidental deletion, a virus, or even a data breach. It should go without saying that your backed-up data needs to be encrypted and stored safely and securely.
- Decommissioned equipment: There must be a process to make sure ePHI is no longer on an old device when it is decommissioned or disposed of
- Retrievable data: Copies of ePHI need to be easily accessible in the event of a data breach or other disaster
- Tested disaster recovery plan: A cloud-based disaster recovery solution should be in place for your systems and data, and your disaster recovery plan should be tested regularly (and all storage and transfer involved must be encrypted)
- Encrypted backups: As mentioned earlier, ensure that your backed-up data is also encrypted
Keep in mind that there is a difference between recovery required for compliance and data recovery for your organization as a business; it’s important to be prepared to fulfill an audit while also resuming operations after a security incident.
A technology solution is needed to log all points of access (both internally and remotely) and provide quality reporting (who has accessed what systems/data and when)
- Track access to all information: Turn on auditing abilities wherever possible in all your systems and monitor all access at all entry points (through the firewall, user accounts, endpoints, software, and network access—including access from mobile devices)
- Data retention: It’s appropriate to retain 30, 60, or even 90 days of logged data; longer is always better so that you can go back and analyze an incident discovered after the fact and take appropriate remediation measures
- Remote access: Ensure that your auditing and logging methods can track and report remote logins, logins using a mobile device, traffic passing through firewalls, and any activity from outside users, vendors, or potential threats
- Due diligence: When looking into integrating a new application or program, make sure it has the auditing capabilities you need (check what access it logs, how long it stores data, how far back will you have visibility, what its reporting capabilities are, etc.)
Without a secure workstation (laptop/desktop PC), most of the measures explained in this article will be totally ineffective.
- Antivirus software: Hopefully this one is a no-brainer, but all workstations and systems need regularly updated antivirus software that protects against viruses, malware, phishing attacks, infected websites, and malicious emails and links
- Email scanning: Implement advanced email scanning to filter and protect against malicious emails, including any attachments or links
- Training: If at all possible, provide at least basic cybersecurity training for employees so they can identify the warning signs of a virus or phishing attack, and so they know to never give a suspicious email or popup the benefit of the doubt
Mobile Device Protection
With personal mobile devices as well as IoT-connected medical devices in use in nearly all medical facilities today, a mobile device protection plan is essential.
- Passwords: Passwords, passcodes, biometrics, or some other form of access control must be active on any device used to access ePHI (this includes ability to receive company email)
- Mobile device management: A mobile device management system will allow your team to retrieve ePHI or wipe a device entirely should it be lost or stolen
- Mobile access policies: Have a mobile access policy in place to determine who is connecting to your systems via mobile, and to ensure they are doing so via secure channels
- Your plan should include regulations on how ePHI data may be used on a mobile device
- All the measures explained above (data encryption, monitoring and logging activity, access control, etc.) should apply to all mobile users
- The best practice is to ensure that this policy is communicated to all users, and to make them aware that only mobile access that follows the policy is permitted
I recognize this can seem overwhelming, but the good news is that all these actions fall squarely into a category of IT standards and best practices. These recommendations are ones that all businesses should be following and as a result there are core tools that should be in place to adopt these best practices. Get started today – contact your trusted IT partner to make sure your business and clients are protected!