Friday, March 4, 2016

If you aren't paying attention to HIPAA, you should be

We live in a world where data is ever-present. Many of us working in IT store data about our users. There are different types of data, each with its own rules and best practices for how to protect that data—whether it's simple login data or more personal information.

One area that gets a lot of security attention is HIPAA data. Sometimes generically referred to as "electronic private health information (ePHI)," the data that is covered by HIPAA is the most personal information about ourselves: data about our health. And so it is correct that this health information should be protected very carefully. If HIPAA data isn't on your IT radar, you need to talk to your IT security officer.

HIPAA is an acronym for the Health Insurance Portability and Accountability Act of 1996, and is United States legislation that provides data privacy and security provisions for safeguarding medical information. The Compliance and Ethics Blog has a great article about HIPAA compliance: What you need to know for 2016. A few highlights are below:

This affects everyone.
Everyone needs to take data privacy seriously. Everyone. And if you don't think that you're affected by HIPAA rules, check again. In my experience from higher ed, institutions sometimes collect health data without realizing it. Are you tracking sports injuries per player? That's health data.

So it's a good idea to treat all data as though it were under HIPAA rules. Set the bar high for everything, so everything is protected well. That means encrypting all devices on your network, not just laptops. Although laptops are still a high loss target. Examples from the article include: A 13-physician practice entered a $750,000 settlement after a laptop and unencrypted backup media containing ePHI were stolen from an employee’s car. A nonprofit teaching hospital entered a $850,000 settlement after an unencrypted laptop containing ePHI for 599 patients was stolen from an unlocked treatment room.
Risk assessments save money.
When was your last risk assessment? When I worked in higher ed, my group was part of an internal risk assessment (audit) about once a year. That didn't mean my group was the subject of the assessment, but when the auditors examine, say, the Financials system, eventually they'll want to talk to the group that manages the Financials infrastructure. And that was my group. I quickly learned to value the risk assessment; the audit results were feedback that I could use to improve my team's operations.

Risk assessments also save you money over the long run. More specifically, failing to conduct a risk assessment may be penalized. From the article: "an insurance holding company entered a $3.5 million settlement after it experienced multiple breaches. The OCR found that the company failed to conduct a security risk assessment and failed to implement security safeguards. The good news is that the government provides a free security risk assessment tool, making it easy for providers to complete the assessment themselves."
It comes down to your staff.
What do your staff know about protecting private data, including HIPAA data? Make sure that everyone who touches private data understands how to manage the data safely. And don't just worry about the IT staff, think about everyone who uses or manages HIPAA data.

Good computing practices will get you most of the way. Teach your users not to trust attachments in emails, even from people they work with. Spear phishing attacks have become quite sophisticated, so if you didn't expect someone to send you a financial report that requires macros to view it, then you shouldn't open it. Even "drive by" attacks can get you, such as ads on websites, so be sure to keep up with antivirus and other protections. A few examples from the article include: A hospital entered a $218,400 settlement after employees used an internet document sharing program to store documents containing ePHI. A university teaching hospital settled for $750,000 after an employee downloaded an email attachment with malicious software, which compromised the ePHI of 90,000 patients.
image: Cory Doctorow/Flickr cc by-sa

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.