A prioritized approach of the Security Rule.

Brand Barney, HCISPP, CISSP
By: Brand Barney
To view this post in its original format, watch the How to Prioritize HIPAA Compliance webinar.

(Read part 2 of this series!) When I discuss HIPAA compliance, most healthcare professionals think about how stressful and expensive HIPAA compliance can be. As a result, many organizations have avoided or put off compliance.

If you’re thinking this way, consider this: there are now more breaches in the healthcare industry than ever.

HIPAA compliance was created to protect your patients’ Protected Health Information (PHI). By following HIPAA compliance, your organization will be on the way to security and avoid severe punishments by the Office of Civil Rights (OCR).

Let’s discuss how you can realistically become HIPAA compliant and develop your IT security.

HIPAA compliant reality check

Maximizing your time

You probably don’t have all the time in the world. But, it’s not always about finding time for HIPAA. It’s about maximizing the little time you have.

The question then becomes where you should focus your efforts. I would suggest the Security Rule. Not following HIPAA’s Security Rule is the reason most organizations lose PHI, especially ePHI.

To avoid heavy fines, you don’t need to tackle the entire HIPAA compliance process at once. The OCR goes easier on organizations that can show documentation of demonstrable progress towards full HIPAA compliance.
I would suggest a 3-step prioritized approach focusing on the HIPAA Security Rule:

Starting your Risk Analysis

Your organization is a living, breathing entity that collects, transmits, and maintains data. But like the human body, it has weaknesses. Your organization’s IT security can become weak over time if it does not receive adequate attention, especially due to attackers constantly trying to break into your system.

Learn more about how to start a risk analysis.

As a result, you need to start your Risk Analysis process by identifying the risks, threats, and vulnerabilities to your patient data, organization, and systems. When you find these weaknesses, you need to establish a plan and work on fixing those specific areas.


Let’s say you go into your doctor today for a general health check. Your doctor would find risks, threats, and vulnerabilities to your health. For example, if you were diabetic and your diet was primarily fast food and candy, your doctor would come up with a plan to fix the problems, such as having you change your diet and exercising.

It’s the same thing with your business, patient information, and systems. As a business, you need to make specific plans and goals to fix problems like:
  • When do you want to complete your Risk Analysis?
  • When do you want to complete your Risk Management Plan?
  • What is an acceptable risk?
  • When do you plan to train employees? What will this training focus on?
Now, I will explain ways you can start mapping out your Risk Analysis.

How to identify your HIPAA risks

Your Risk Analysis is all about discovering and considering your vulnerabilities, threats, and risks.

For your vulnerabilities, you should examine flaws in your components, procedures, design, implementation, and internal controls. For example, a vulnerability might be a flaw in building designs that might lead to PHI being stolen.

For your threats, you should figure out the potential for a person, group, or thing to trigger a vulnerability. For instance, what would happen if you had a disgruntled employee? Would he be able to get back into the system and obtain PHI after he was fired?

Lastly, you need to know your risks, which deal with the probability that a particular threat will take advantage of a specific vulnerability. For example, you need to determine the fines of noncompliance and damage to your brand in the instance of a data breach.

Get a free HIPAA compliance dashboard demo.

Document your PHI flow

You need to document and know exactly where PHI comes in, goes out, and is maintained. You should sit down with the key members of your department(s) and identify the areas of PHI flow.

In most cases, you will discover new ways and areas that staff stores PHI.

Maybe PHI is transmitted from your billing area to business associates, or your staff sends billing information through Gmail because your mail server was slow.

Maybe the front staff wrote down a patient’s question and took it back to the doctor, who placed it in an unlocked bin.

Other important areas to look for PHI include:
  • Servers
  • Workstations
  • Networked medical devices
  • Laptops
  • Computers
  • Operating systems
  • Applications
  • Software
  • Mobile phones
  • EHR/EMR systems
You may already know where the data is stored, but you need to document where this information is being stored.

See also: PHI: It's Literally Everywhere

Risk Analysis tools

It’s difficult to find every weakness in your organization on your own. To make sure your ePHI is fully protected and to avoid weaknesses in your IT system, implement additional services such as:
  • Internal and external vulnerability scans—a tool that scans for weaknesses inside your internal network. You should be doing these scans on a quarterly basis and any time you make a change in your network.
  • Penetration test—an ethical hacker, who looks at all of your systems weaknesses and vulnerabilities in your services.
  • Nmap scanning—a tool that identifies open ports and services. For example, you might have a database port open and available for the public.
These tools can help you fully see if your patient data is protected, and system is secure.

Stay tuned for part 2, where we’ll discuss how to craft a risk management plan!

Brand Barney (CISSP, HCISPP, QSA) is a Security Analyst at SecurityMetrics, has over 10 years of data security experience, and will totally geek out if you mention Doctor Who. Brand loves to play jazz piano and daydreams about being as great as Dave Brubeck or Thelonious Monk. Connect with him on Twitter or check out his other blog posts.

2 comments:

  1. Who (what type of organizations) are required to comply with these HIPAA Compliance requirements?

    ReplyDelete
    Replies
    1. That’s a great question!

      Covered Entities (CE) and Business Associates (BA). Nowadays, a Covered Entity can come in all different shapes and sizes. They can be a Healthcare provider, Health plan, or even a Healthcare clearing house. They create, receive, transmit and maintain Protected Health Information (PHI) on behalf of patients.

      A Business Associate...now that’s where it gets a little trickier for many to determine if HIPAA applies to them. A BA can be a subcontractor to a CE that creates, receives, maintains or transmits PHI on behalf of a BA. It also includes vendors that offer personal health records to one or more individuals on behalf of a CE. Or, simply any person or entity that provides data transmission services to a CE and require routine access to PHI.

      As you can see by my long winded answer, if you create, touch, transmit, or impact the security of PHI, HIPAA likely applies to your organization. Hope that helps clarify it a little. My advice is to always seek out a HIPAA advisor and they will help you understand what applies and what does not, then they will help you protect it. :)

      Best of luck!

      -Brand Barney, Security Analyst at SecurityMetrics

      Delete