Spend 10 minutes a day to increase your security.

Tod Ferran, CISSP QSA
By: Tod Ferran
This article was also featured in PAHCOM Journal: Finding Time for HIPAA: A 21 Day Plan

After being tasked with making sure your office adheres to all 157 HIPAA requirements, I bet you’re completely overwhelmed … If you’ve even started the compliance process at all. Don’t worry, you’re not alone. For many hardworking office managers and busy admins, HIPAA is rock bottom on the to do list.

SEE ALSO: You May Not Be Done With Your HIPAA Requirements

Its not just about finding time, it’s about maximizing the little time you do have.

Some have 8 hours a day to spend on HIPAA, and some have 10 minutes. It doesn’t matter who you are, the Department of Health and Human Services expects you to safeguard protected health information (PHI). However, if you’re making a dedicated effort, they will be more lenient after a violation.
Here’s a sample 21-day plan for those limited by time to help you get started.
Take 10 minutes per day to increase your security and inch toward HIPAA compliance. Eat that colossal HIPAA elephant in little teeny chunks.

This security plan isn’t comprehensive, but it’s an illustration of how simple or complex you can make HIPAA to work with your schedule.

Day 1

Get ready to work for 10 minutes! Your first job is to ID all systems/devices/workstations with access to PHI and the Internet. Document them in an Excel spreadsheet. Completing a full inventory would likely take much longer than 10 minutes, so just cover the basics. Does the physician access patient data on his smartphone? Put it on your list! What about EHR systems and network attached medical devices? Record those as well.

Here’s a list of systems you should be thinking about: servers, workstations, laptops, computers, operating systems, applications, software, mobile phones, EHR systems, etc. I recommend asking around the office so you don’t miss any devices or systems. FYI – you’ll be using this list later on, so make sure you’ve established a comprehensive list and keep it updated!

SEE ALSO: PHI: It's Literally Everywhere

Day 2

Now that you have a list of all systems/devices/workstations, it’s time to document who uses them. HIPAA’s user access rule requires each workstation and device to be used only by those designated. For example, a physician’s laptop should only be used by a physician and the computer at reception should only be used by the receptionist. After assigning and documenting this piece, give all office staff the 411.

Day 3

Change every password you have authorization to change (e.g., computer login, Wi-Fi, email, etc.) and make sure all passwords have 8+ characters, letters, numbers, capitalization, and special characters.

SEE ALSO: Your Usernames and Passwords Are Embarrassing.

Day 4

Conduct a mini morning meeting about passwords. Tell all office staff (including physicians!) to change their passwords using the guidelines from Day 3. Remind them not to log into workstations they’re not supposed to be on (see Day 2).

Day 5

Permanently trash that darned visitor sign in sheet on the reception desk! It’s a security issue even though HHS has indicated they won’t fine you for it. I have yet to see a valid business reason for having one. If you must check patients in, use your EMR system or start an Excel file and type them in yourself. Let everyone in the office know about this change.

Day 6

Conduct a physical office inspection by pretending you are a patient. Can you see any monitor screens from the waiting area? Can you see password reminder sticky notes in examination rooms? Make note of everywhere you can see patient/sensitive information.

SEE ALSO: Healthcare Reception Desks: Breeding Ground for HIPAA Compromise

Day 7

Fix the problems you found on Day 6. Take down the sticky notes and reprimand their authors. Buy privacy screen filters to place on all office monitor screens. (If you’ve never seen these, they create a narrow viewing angle so the screen is only visible to the person directly in front of it. Cool!)

Day 8

Let’s go shopping today! Count all office trashcans. On your lunch break, buy the same amount of crosscut shredders as you have office trashcans. Place a shredder next to every trashcan. Tape a “No PHI allowed!” sign on all trashcans.

Day 9

Research everything you can about phishing in 10 minutes, including how to recognize a phishing email. (This blog post will help!) Phishing emails are a way hackers con healthcare professionals into providing account data. Once obtained, hackers create new user credentials or install malware into your system to steal sensitive data.

SEE ALSO: Payroll Phishing Emails Attack Hospital and Healthcare Security

Day 10

In a mini morning meeting, teach staff everything you learned about phishing on Day 9. Show them examples of phishing emails you found online to teach them what to look for. (P.S. Today marks your halfway point. Keep it up!)

Day 11

Remember that list you created on Day 1? Review it, and install anti-virus software on each of those devices/workstations/systems. Anti-virus software scans for viruses, spyware, and malware. I recommend Malwarebytes, Symantec, or McAfee for Windows computers and ESET Cyber Security for Mac. Make sure you purchase the supported versions, set the updates to daily or hourly, and set up a full system scan to run once a week.

Day 12

Finish installing anti-virus software on all office systems (Day 11). For laptop systems or workstations that are turned off when not in use, train staff how and when to run the full system scan. (Leave them on overnight when the scan is scheduled to run. The electricity used is a LOT less expensive than leaving malware on your system!) If you already finished, use today to jump one day ahead of schedule!

Day 13

What would happen if a physician left his workstation computer unattended without a screensaver? People could very easily gain access to patient data. Configure all computers in your office to automatically enable a screensaver that requires a password after a period of inactivity.

Day 14

Mini morning meeting time! Teach all your staff how to enable an automated screensaver on their workstations and ask them to do it by the end of the day.

Day 15

Most software updates contain crucial security enhancements, which is why they are so important to HIPAA security. Check the settings on all your devices (see Day 1 list) to ensure they are updated. If they aren’t, update them. Based on how many devices you have, this may take a while. You may want to update overnight.

Day 16

More updates! It’s time to install updates on everything else, like Internet browsers, firewalls, and point-of-sale (POS) terminals. (You may need to contact your POS vendor to update your POS terminals.)

Day 17

Research all you can about social engineering, the method of manipulating people socially to gain useable data like account numbers or passwords. Social engineers might steal badges, pose as janitorial staff, or try unlocked backdoors to try and gain access to your systems.

Day 18

Teach everyone in the office what you learned about social engineering in a mini morning meeting.

Day 19

Now that you’ve begun to protect PHI at your office, it’s time to plan your HIPAA goals. When do you hope to have your Risk Analysis done? When will your Risk Management Plan be completed? When will you hold employee trainings? When will you review policies and procedures documents? What is your estimated HIPAA completion date?

Day 20

Planning should take longer than 10 minutes. Finish planning out your goals from Day 19.

Day 21

You’ve done it! You made it through an entire month of working on HIPAA every single day but you have a long way before that elephant is eaten. As your last to do, schedule a call with a HIPAA compliance company. They can provide customized plans to help you reach your HIPAA compliance goals.


Tod Ferran (CISSP, QSA) is a Mensa aficionado, Cancun expert, and Security Analyst for SecurityMetrics with over 25 years of IT security experience. In addition to his many speaking engagements and webinars, he provides security consulting, risk analysis assistance, risk management plan support, and performs security, HIPAA, and PCI compliance audits. Connect with him for recommendations on excellent places to stay, activities, and restaurants in Cancun, or check out his other blog posts here.