In a recent statement, President Biden encouraged private sector companies to give increased attention to their cybersecurity programs against potential attacks. This came soon after the news that Russia is reportedly exploring the possibility of directing cyberattacks towards US companies.
Aside from possible Russian intervention, healthcare has long been the industry most targeted by hackers seeking unauthorized access to electronic information. Organizations safeguarding PHI and other sensitive forms of personal information should have robust cybersecurity programs in place with the ability to mitigate vulnerabilities, close gaps, and implement updates as new kinds of cyberattacks emerge.
The HHS Office for Civil Rights (OCR) recently released its Quarter 1 Cybersecurity Newsletter, which includes detailed, actionable security measures all organizations subject to HIPAA should be implementing. Here’s an overview of OCR’s recommended cybersecurity practices.
Protect Against Phishing
Phishing is one of the most common kinds of cybersecurity attacks. While phishing is often conducted over email, we’re now seeing an uptick in phishing over text message, known as smishing. Phishing and smishing are types of attacks that rely on user error. Many of these attacks will come in the form of messages that appear to be from a trusted source, or are offering things that are too good to be true. They urge the user to click on a link, which is where the trouble begins.
This may go hand in hand with a ransomware attack, where, after clicking a link, sensitive data will be encrypted on the user’s device or system, followed by a message explaining that a sizable ransom will need to be paid in order to retrieve it. As part of your compliance program, all employees should be trained on how to recognize phishing, smishing, and other kinds of cyberattacks. They should also be trained on how to respond and who to contact if there is an issue, so company data is not compromised.
The HIPAA Security Rule requires organizations to train all employees on security awareness and protocols. This program should involve periodic training, practice and refreshers of how to respond to cyber events, and ongoing education as cybersecurity standards change or threats develop. Your employees make mistakes and need to be reminded of how they can protect your organization. Training is one of your best tools for protecting against cyberattacks.
Implement Policies and Procedures
If your organization is required to be HIPAA compliant, you must have a documented and implemented HIPAA compliance plan that outlines all the safeguards you have in place to protect sensitive information. A comprehensive compliance plan will include Privacy and Security Policies and Procedures, a Disaster Recovery Plan, a Remote Work Policy, a BYOD (Bring Your Own Device Agreement), and Business Associate Agreements with third parties.
It is important to assign and document roles within your organization concerning who has access to what information, what safeguards are in place to protect it, and what protocols you should follow in the event of a breach. Staff should be thoroughly trained on company Policies and Procedures so they understand their role in keeping company information safe.
Conduct a Risk Assessment
One of the first essential steps in strengthening your compliance program is conducting a Risk Assessment. A Risk Assessment allows an organization to identify gaps and weaknesses in its security standards and mitigate them before they become an issue. It is an essential step in being HIPAA compliant and maintaining the security of your data.
A Risk Assessment may pinpoint technical vulnerabilities (i.e., lack of encryption, two-factor authentication, or strong passwords), administrative vulnerabilities (i.e., failure to appoint Privacy and Security Officers or document Policies and Procedures), as well as physical vulnerabilities (i.e., lack of security systems, locked file rooms, or desktop locks). Once these vulnerabilities are identified, assessed, and prioritized according to what constitutes the greatest security risk, you can begin to implement safeguards that address them.
Implement Access Controls
In handling PHI, it’s important to observe the minimum necessary rule. Ask yourself, what’s the minimum amount of information you need to give or receive to complete the task at hand? This, along with other forms of access controls, like setting access levels for different employees depending on their roles, are effective ways of managing who sees what information. This will ensure that no sensitive data is accessed by unauthorized parties.
You should periodically reassess the strength and effectiveness of your cybersecurity practices, taking care to consider any changes in your staff or organization that might make you more vulnerable to cyberattacks. To do this, you should be conducting an annual Risk Assessment and annual review of your Policies and Procedures to make sure they reflect the current state of your business.
Have you performed a Risk Assessment in the past year? Do you have updated HIPAA Policies and Procedures in place? Our HIPAA Prime™ program does all this and more! We create customized compliance documents and provide your staff with easy online training, ensuring compliance for your organization.
Want to know more about how you can become HIPAA compliant?
Email us at firstname.lastname@example.org to learn more about how we can help your organization become (and stay!) HIPAA Compliant. Or, get started here.