Recently, I was on a vacation in Germany, and as I visited several medieval cities, I had two thoughts. First, Germany certainly has a lot of walled cities, and second, city walls are a great analogy for HIPAA Compliance. (Don’t worry, I didn’t spend the whole vacation thinking about HIPAA…)
When I work with clients on their HIPAA compliance plans, we start by defining the scope of the plan. Are we only going to focus on a specific part of the company, or are we going to look at the company as a whole? Medical and dental clients, don’t have a choice – they have to address the entire practice, but insurance, BA’s and employer groups have a decision to make.
Nine times out of ten, we find that businesses take our plan and expand this out to their entire company or practice because they find the privacy and security principles to be applicable to all parts of their business, and just make good sense to apply company-wide. If you’re going to go through the process, why not protect your entire business?
How do you protect your “City”?
Step 1 – Conduct a Risk Assessment
If your enemies tended to use fire to attack your city, you wouldn’t build a wall out of wood. The same principles apply to HIPAA, it’s important to assess what risks your business is going to face, and what reasonable steps you can take to protect your assets.
HIPAA calls for you to assess three different aspects of your business- Administrative, Physical and Technical. You can hire a third party, or do this yourself. Sometimes it’s easier for a third party to see the gaping hole in your south wall that you’ve overlooked.
Step 2 – Create a Plan
This is where you convert the information you identified in your Risk Assessment into actionable items that everyone can follow. This will keep you from building two towers right next to each other –two facing north, and none facing south. Also, having a plan will ultimately save you money by giving your staff clear instructions and goals.
HIPAA requires that you have written Privacy and Security Policies and Procedures. Think of these as the blueprint for protecting your “city.”
Step 3 – Build Your “City Wall”
Most of these cities had stone walls, towers, moats, bridges, etc. This is all to make the city more difficult to attack, therefore an undesirable target.
You will be looking to build your “wall” by securing your network, devices, and facility. This is having firewalls, anti-malware software, password protection on devices, and locking your facility. Any lapse in these security items means your “city” is vulnerable to attack.
Step 4 – Secure Your Key Assets
In the old days, this meant stationing extra soldiers around granaries and weapon stores. Today it means having backups of your systems and encrypting all your data in transit, rest, and storage. This can save you many headaches if an attack comes your way.
Step 5 – Communication
Walls and security are great, but cities thrived off communication and trade, much like your business does. If you completely lock everything down, then your “city” will starve and die.
This is where HIPAA compliant faxing, encrypted email, texting, chat, file sharing and video conferencing come in. While HIPAA doesn’t explicitly require these items, they do leave it up to the business to assess the risks and then to implement them accordingly. I’ve worked with a lot of companies on this, and I’ve yet to see a compelling reason to not use encrypted communication tools.
Step 6 – Train Your Army
Your plan is only as good as your army. Walled cities had well-trained soldiers to man the walls and repel any potential invaders. While you’re not going to call on your employees to man the trebuchets, they are your first line of defense.
Have you trained your employees on how to protect their “city?” Do they know how to communicate with clients securely; how often they are required to change passwords; what are the requirements are for secure passwords; what to do if a system starts acting strangely (potential hack), or who to contact if they think there is a potential breach? These are all items that are part of your comprehensive HIPAA Compliance Plan, and a well-trained employee can help mitigate the success of these attacks.
As you can see, all these provisions for your “city” make sense. HIPAA isn’t just a regulation, it’s a way to look at your current security stance, and make sure your “city” is properly fortified, protects the PHI inside and will repel hackers. These simple steps can save your “city” from an embarrassing attack, and protect your livelihood going forward.