HIPAA and the Status of Healthcare: What C-suites Should Know
While C-suites seem to think their organization is doing well regarding HIPAA, the evidence suggests otherwise.
When it comes to HIPAA, do you really know what’s going on in your organization’s security? How many firewalls do you have installed? Do you know what vulnerability scans you use? Do you train your staff often, or just once a year?Most C-suites feel pretty confident in HIPAA security. They can comfortably argue their organization is HIPAA compliant. But did you know that the majority of health entities are in danger of failing an HHS OCR audit?
SEE ALSO: Snapshot of HIPAA and Healthcare Data Security
In the SecurityMetrics HIPAA Security Rule Report, we found some revealing information about the status of healthcare and HIPAA. Some key findings include:
- 89% of C-Suites believe they are HIPAA compliant, while only 67% of Compliance and Risk Officers believe so.
- 80% of respondents believe their organization is fully HIPAA compliant, while most surveyed were missing key elements of compliance with the HIPAA Security Rule.
- Only 63% of healthcare organizations encrypt PHI on work devices.
- Only 76% of risk and compliance officers believe their organization would pass an HHS/OCR audit.
- A mere 60% of risk and compliance officers say the organization has created a HIPAA Risk Management Plan.
Why the gap?
Why is there such a large gap between C-suite understanding HIPAA and the reality of healthcare status? One reason is that C-suite levels often leave security up to the IT and Compliance officers. They don’t bother to learn about HIPAA because they assume that everything is being taken care of.SEE ALSO: How Healthcare Security Complacency is Killing Your Organization
Another issue is when many C-suites think of HIPAA compliance, they think of the HIPAA Privacy Rule. And while most organizations are doing fairly well in upholding the Privacy Rule, they’re struggling with the Security Rule, which is what a lot of C-suites don’t realize.
The Privacy Rule covers all the issues with keeping the patient’s data private. However, the Security Rule involves keeping patient information secure. Protected Health Information (PHI) is very valuable on the black market, and it’s much harder to replace.
Why is this lack of understanding a problem?
The majority of health organizations are vulnerable to hackers, and the C-suites, the people who can do the most change by implementing policies and procedures, don’t realize they’re not actually HIPAA compliant.These organizations often aren’t even fulfilling basic HIPAA requirements, which is why there are more data breaches happening.
SEE ALSO: Your HIPAA Privacy Requirements Might Not Be Completed
Why should C-suites care?
Besides the fact that getting breached costs a lot both in lawsuits and fines, patients trust their information with these organizations.Healthcare entities have a duty to protect their patients, which includes their patient’s data.But there are simple steps to help you become HIPAA compliant. Here are some suggestions:
- Do a risk analysis to determine where your organization is vulnerable
- Use vulnerability scanners at least annually, if not monthly
- Encrypt PHI wherever it’s stored
- Implement risk management plans
- Train staff quarterly, or monthly on security
- Install and update firewalls
C-suites should dedicate more time and money to HIPAA security. Many organizations would argue that spending money on medical equipment is more important because that saves lives. But how do you think your patients lives will be when their stolen data denies them insurance, or misdiagnosis them?
Data security and HIPAA compliance doesn’t just protect the organizations, but the patients as well.
C-levels, it’s time to learn more about what your organization needs to become HIPAA compliant because hackers are getting more aggressive.
You can’t afford to be passive anymore; it’s time to be aggressive back.