For anyone trying to take on the field of healthcare compliance, particularly compliance with the Health Insurance Portability and Accountability Act (HIPAA), the challenge can sometimes seem insurmountable. The penalties for failure are graphic: loss of customer trust, advantages handed to competitors, and of course fines from regulators. Worse, keeping track of every point to cover is daunting as well. Here are a few points to watch out for:
Know the laws.
There are actually two laws that address healthcare compliance. First, there's HIPAA, but additionally, there's HITECH, the Health Information Technology for Economic and Clinical Health Act. The two do interconnect—HITECH especially focuses on the increased use of electronic health records (EHRs) while HIPAA tends to focus on what needs to be done to protect patient information—but there are also some differences. Knowing how to address the two means you have the best chance of meeting the laws' demands.
Check the NIST framework.
The National Institute for Standards and Technology (NIST) has its own framework for improving cybersecurity which itself focuses on four key fronts: Core, Implementation, Profile, and Tiers. Each relates to a specific portion of cybersecurity, and the whole concept is based on industry best practices. Once observed fully, the NIST framework serves as a basic approach to cybersecurity that should reduce HIPAA and HITECH down to a few extra twists.
Address internal devices.
Once the basic framework and the conceptual parts are in place, start looking to more specific threats. Devices used internally are one of the key points to protect first. Many medical devices that weren't network-capable before currently are, and so, their protection has to be established. It's easy to count the tablets and desktop PCs that hold everyday patient records. What about devices like IV pumps, ultrasound machines, and glucose meters? What about the devices that create the information that becomes part of an EHR? Until these devices are protected, they're just another potential data breach waiting to happen.
Address external devices.
One growing phenomenon in the business world is the bring your own device (BYOD) doctrine. These are devices brought in from outside the business to serve within the business as everyday operations. BYOD has an excellent impact on both employee morale and the bottom line. Employees love using devices they already know how to work, and since they're employee-owned, there's no need to pay for them, which saves mightily on capital expenses. Since these are employee-owned devices, however, that means they don't always follow proper network procedure. Vetted apps and not connecting to strange networks are often out the door with employee devices. So be ready with a remote lock-and-wipe capability that can take a device out of the picture if need be.
Address external data sources.
Internal and external devices all operate within the company's boundaries. Cloud-based systems, however, do not. They're merely accessible from company devices. This reduces the amount of control that the business has over how the servers involved are run. Here, focus on points you can address to come out on top. Work on end-to-end applications and device intelligence. Investigate your potential cloud provider thoroughly to ensure compliance with necessary regulations. Build your infrastructure out thoroughly. Addressing the key points as best you can will help ensure full healthcare compliance.
Malware in all its forms, whether it's a virus or full ransomware, can deliver crippling blows to operations. A 2016 study found that nearly half of respondents had been hit by such an attack within a year of responding. Worse, that same study said less than 10% of firms were confident about fighting off such attacks in the future. This represents another reason to take cybersecurity seriously. In fact, one excellent way to beat ransomware can also be an excellent HIPAA protection: keeping patient records on unconnected network devices. Without that connection to the network, ransomware and other malware can't reach the device to begin with.
Watch your patches.
One point that often goes unmentioned when it comes to protecting system is software patches. These little updates help address potential security flaws you may not have even known existed. Keep an eye out for new patches that emerge and make sure they're routinely downloaded and put to use. When necessary, use virtual patches—otherwise known as web application firewalls—that allow the machine in question to keep running until it can be properly patched. Not every system can go offline whenever it needs to, so having that option in place should help.
What to Do When You Need Help Addressing Healthcare Compliance
When the task seems too challenging, or you'd like a fresh pair of eyes to watch your back, just get in touch with us at UTG. Our 4-Layer Security Stack offers superior network coverage, and we can address a range of points in the security continuum. Whether it's training, endpoint security, or disaster recovery, we can give you the perspective you need to make your security match regulator demands. Just drop us a line today to get started.