Far too many people think that if they’ve bought a firewall or anti-virus protection that they do not need to worry about security anymore. This couldn’t be further from the truth. In healthcare we see the same thing with HIPAA compliance. HIPAA compliance and security aren’t things you can just go buy. If you take that approach, then your organization is at risk for being compromised and suffering through HIPAA penalties.
HIPAA compliance and security is an ongoing process with your organization and your partners. Part of that process should be taking time to assess potential vulnerabilities in your organization. Here’s a quick run through of some areas of your organization that might be vulnerable to being breached or in violation of HIPAA.
EHR and Health IT Systems
Many organizations ask their health IT vendors if they’re HIPAA compliant during the RFP process. While the intent of the question is good, the perception it creates can be a big vulnerability for an organization. Your EHR and Health IT vendor can help you with elements of your HIPAA compliance, but they are only one step in the process.
The problem is that those who ask the question often end up with the perception that buying a “HIPAA compliant” health IT system will make their organization compliant with HIPAA. Nothing could be further from the truth and this ends up leaving healthcare organizations vulnerable to a breach or a HIPAA violation.
Yes, you should only work with vendors who you trust to be compliant with HIPAA or that could be another major vulnerability, but there’s still plenty of work your organization needs to do to be compliant as well. Plus, trust but verify that all of your business associates are indeed doing what they committed to do when it comes to HIPAA compliance. Not all vendors are created equal when it comes to HIPAA compliance.
Medical Record Archives
It never ceases to amaze me how many breaches occur from inappropriate access to an organization’s medical record archives. Organizations are vulnerable when they don’t create a secure method of transport or when they use random offsite storage options which aren’t steeped in the HIPAA regulations. Make sure you are using an offsite storage facility that understands HIPAA so your organization is not vulnerable.
Most IT departments do a pretty solid job securing, updating, and monitoring their production IT systems. However, security often falls short with legacy IT systems that have to be maintained for years after they have been taken out of full production. Updates are forgotten or not purchased after licenses run out. Operating system patches are forgotten about. Legacy systems are forgotten about. Forgotten systems are a ticking time bomb for an organization and are scattered throughout healthcare.
Every healthcare organization has had a proliferation of connected devices. This is true of medical devices which are now connected medical devices and therefore more vulnerable to attack, but it also applies to consumer health devices and other IoT devices that are now on your network. Many of these devices don’t store protected health information (PHI) and so some mistakenly think that they don’t need to be secured with as much rigor. Despite not storing PHI on these devices, not securing them presents the perfect vulnerability a hacker can exploit and launch attacks on devices that do store PHI.
Cell Phones and Tablets
Related to device proliferation is cell phone proliferation. Everyone has at least one in their pocket and many doctors have two. Most organizations have a pretty good handle on the mobile devices they issue their employees. They have software to make sure they are updated and secure. They can restrict what applications are installed and which sites are visited. The same cannot be said for personal devices. These personal devices are like the Wild West and present a tremendous vulnerability to every healthcare organization. Plus, don’t forget that almost all of your patients have one in their pocket as well and hackers can use them to breach your organization if you’re not careful.
If you ask any security expert, the most challenging thing to secure is your people. This is what makes your people the most challenging vulnerability. The problem with people is you can’t just throw money or technology at the problem to solve it. Certainly training helps reduce the vulnerability. Technologies that prevent or warn end users about email attachments will help. While measures like this help, you will never have enough layers of protection to fully protect your organization against people. However, you can and should make a best effort to reduce the risk.
These are just six of what could be a long list of vulnerability points in your organization. Taking the time to really evaluate how vulnerable each of these is in your organization will make you much more compliant with HIPAA and make your organization more secure. It’s always better to spend the time securing your organization now than to try and do it in a rush when your organization receives a HIPAA fine or breach notification.