Whipping healthcare’s patient data security into shape.

Brand Barney, Security Analyst, SecurityMetrics
By: Brand Barney
healthcare securityMost people trying to get in shape don’t like looking in the mirror because all they see is an impossible task ahead of them. Some don’t even bother making weight loss plans because getting in shape seems like an unattainable task.
In the same way, healthcare entities don’t like thinking about HIPAA security. They stress when thinking about all the security to do’s they have yet to accomplish. It’s true, most healthcare entities have a long way to go before their patient data is truly secure. But it is possible.

In fact, getting HIPAA compliant is kind of like training to run a marathon.

Step 1: Change Your Mindset

HIPAA compliance is like running a marathon

To successfully run that whopping 26.2 miles, you must change your mindset about getting in shape. You’ve got to start somewhere, and beating yourself up about being too fat or slow doesn’t help.

Oftentimes the focus in HIPAA compliance is not on security, but on HIPAA privacy. Healthcare employees must transition their mindset to patient data security, or HIPAA compliance will never happen.
  • Understand you aren’t compliant. You may be compliant with HIPAA Privacy rules, but literally no healthcare organization I have ever analyzed is compliant with all HIPAA security aspects. The sooner you realize your failures, the sooner you can correct them.
  • Understand the landscape is changing. The HHS is starting to follow the successful trends of other compliance mandates in other industries. Penalties for noncompliance and data breaches are ramping up.
  • Understand HIPAA is coming, whether you start now or later. It will be a lot easier to get through HIPAA compliance if you’ve already run a few 10k races, than if you’re forced to run your HIPAA marathon out of shape. If you don’t start now, you’ll be behind the curve.
Nobody believes HIPAA compliance is fun, but even an, ‘I don’t like it, but I’ll do it’ mentality is a start.

Step 2: Realize it will take time

healthcare it security

You can’t wake up one morning and decide to run a marathon. It takes 12-20 weeks to adequately train, build endurance, and gradually increase the pace.

The time it takes your organization to get to HIPAA compliance depends on what shape you’re in right now. For some organizations, reaching full HIPAA compliance can take over a year and large investments of money.

This fact disheartens a lot of compliance and security people.

“Are you telling me this could take years?”
How much money will this take?”

Being afraid of time and money is like fearing you’ll never get fit, then eating a box of donuts because you’re depressed…which makes you even more depressed. Stop the downward spiral! Be realistic. You can do it!

Step 3: Start slowly and get into a routine

HIPAA compliance should not be a Jillian MIchaels fitness routine
Don't treat HIPAA compliance like Jillian Michaels treats fitness
Marathon trainees don’t run a 10k the first day. They start walking fast on an incline. The next week, they start running in one-minute bursts. The next week, they run faster, and so on. Good marathon runners don’t train every other weekend, but train at least 5 times per week in a regular routine.

Don’t treat your HIPAA compliance like a Jillian Michaels routine. It will kick your butt. If you can only devote 10 minutes per day to HIPAA compliance, that’s great! Do what you can.

Luckily, and unlike other compliance mandates, you aren’t required to prove your compliance to the HHS. You just need to be working towards it.

Step 4: Remember your motivation

HIPAA compliance is like running a marathon

As I’ve gotten older, I devote more time than ever to working out. What am I trying to achieve? Well, if I’m not healthy, I’ll get sick. If I’m sick, I can’t go to work. If I can’t go to work, I don’t make money. If I don’t make money, I can’t take care of my family. When I think about how much I hate working out, I try to think about how much I love my family. I’m staying healthy for them.

Hopefully your patients’ safety is all the motivation you need to start working on healthcare security. However, if it ultimately comes down to that bottom line, think of this: If you’re not protecting patient data, you get breached (or audited). If you are breached, patients won’t want to do business with you anymore. If patients don’t want to do business with you anymore, you lose money. Lots of money

In fact, if you undergo a data breach, 40% of your patients will find a new provider.

You’re trying to avoid a data breach. You’re trying to protect your patients. You’re trying to remain financially stable. Whatever it takes: Remember why you’re doing this.

Step 5: Get an advisor

You need help securing your HIPAA patient data

Before starting any strenuous activity, it’s always advisable to see a doctor first. A doctor can see any potential problems, then advise you how to fix them. Why do we trust doctors? Well, they went to medical school, they’ve seen patients for 10+ years, they’re willing to visit with you one-on-one for specific advice, and they’re your advocates.

You should feel that same trust with the partner you choose to help you get HIPAA compliant. Just as your doctor gives you advice on how to stay healthy, HIPAA advisors help you in the areas of your healthcare security you need to improve.

It’s like having a good friend who really cares about you and sees what you don’t or can’t.

Step 6: Make it part of your regular lifestyle

Make HIPAA part of your normal lifestyle

The first few weeks of an exercise program are always the best. You feel great, you lose a few pounds, and can visualize your end result. But then you stop because it hurts, or because you hit a weight loss wall, or because you let other things get in the way.

Healthcare professionals get really excited about HIPAA during seminars. Compliance officers take awesome notes and then…do nothing with them. HIPAA is a rinse, repeat kind of mandate. It needs to be part of your regular lifestyle.

Healthcare in general is very proud of knowing the Privacy Rule backwards and forwards. Their privacy practices are posted throughout the office/hospital. Patients are required to fill out HIPAA privacy documents, and NPPs are sent out regularly. But why aren’t healthcare as excited or knowledgeable about security?

Here’s a sad, but true story. The news reported my doctor’s office had a breach of 31,000 patients. When I asked them about it the next week, the front office staff replied, “What? We weren’t aware of that….”
HIPAA security should be part of your regular lifecycle, just like HIPAA privacy!

Step 7: Track your progress

Keep track of your HIPAA compliance progress

I find before/after weight loss pictures extremely inspiring. If you aren’t keeping track of your weight along the process, it’s difficult to know exactly how far you’ve come.

This idea of tracking and documenting also improves the HIPAA compliance process. If no documentation on HIPAA compliance progress happens, and workforce members leave, new employees will have to start from scratch.

It sounds like a stupid problem, but I’ve seen it countless times during my HIPAA audits. The problem is, if you are breached and get audited by the HHS/OCR, and you have no documentation to prove you’ve been working on HIPAA, you’re in for a world of hurt.


Winning the HIPAA compliance marathon

HIPAA compliance is like running a marathon

Studies always show that magic weight loss diets and pills just don’t work. But people still buy them because they are hoping for a miracle.

There’s no magic checklist for HIPAA either.

Instead of treating HIPAA as a checklist, ask, ”What’s my next step?” That’s how we grow! Do you know why the FitBit Activity Tracker is so successful? Because users are only required to take tiny steps every day! Tiny steps are the key to becoming HIPAA compliant and secure.

Brand Barney (CISSP, HCISPP, QSA) is a Security Analyst at SecurityMetrics, has over 10 years of data security experience, and will totally geek out if you mention Doctor Who. Brand loves to play jazz piano and daydreams about being as great as Dave Brubeck or Thelonious Monk. Connect with him on Twitter or check out his other blog posts.
How to Leverage HIPAA for Meaningful Use ebook