Nobody likes to be audited. It’s invasive and unpleasant, but being prepared for it can make the process much easier.
How would you like to walk into an audit? Most will go in wondering - or worrying - if the security measures in place reflect their company’s due diligence to protect their ePHI (electronic protected health information). Others will have the forethought to be proactive in their situation and know they have done what is necessary to protect the information for which they are responsible.
How do you prepare for a HIPAA audit?
What can healthcare companies do to protect themselves from hefty fines and avoiding breaches while staying HIPAA compliant?
If you work in healthcare IT you probably have three things on your priority list.
- The threat of ransomware and other malicious programs looming.
- HIPAA Compliance and potential fines and lawsuits on the line.
- Revenue Cycle Optimization - Limited stream of income to make things work.
Eric C. Thompson, accomplished governance, risk, and compliance professional and author of “Building A HIPAA Compliance Cyber Security Program”, can tell us a few things about the practical implementation of security parameters in regards to HIPAA compliance. Eric also teaches us about the mindset we should adopt in order to move from an ambiguous HIPAA to more tangible business protocols.
You can learn more about Eric's work and his book at his website.
According to Eric, companies will fall behind for primarily two reasons:
Reason #1 - Not Secure Enough
Healthcare falls behind other industries when trying to stay compliant. Why is this? Companies fall behind this mandate and end up subject to extensive scrutiny for many reasons. Maybe they’re doing the bare minimum, have limited funding, or are not doing their best to install security measures.
It’s an odd notion to ponder at first, a company’s level of compliance. It would seem that either a company is compliant or it’s not, but that line becomes blurred when we consider what HIPAA does and does not tell us.
Moreover, reading through all the HIPAA regulations will give you nothing prescriptive to leading you to being secure. It won’t address your firewalls, FTP servers, or out-of-date software.
Healthcare companies have been proven to be liable for these breaches. At the end of the day, the regulation will find a way to show that you’re guilty for not doing what you know you should be doing.
Reason #2 - Lack of Security Resources
Money isn’t always an object when it comes to tools and capabilities. However, it’s difficult to convince the people holding the purse strings to spend the necessary money on qualified people with the knowledge to work on security. Additionally, security professionals are also increasingly difficult to find.
Changing this is a daunting task and may require you to make some major adjustments, but Eric has a few ways to combat these shortcomings. He tells us that the following are in dire need of attention:
Security Risk Assessment
The most practical first steps in your risk analysis and assessment are to identify your risk levels. You should change your mindset based on the potential risks rather than having a myopic focus on compliance alone. These risks can quickly destroy efforts towards compliance.
Steps to assess your risk level:
1. Identify your PHI.
The information you’re trying to protect, where is it in use, in motion, or at rest?
There are a lot of applications that hospitals and insurance companies use to look at patient data. You need to identify all the locations where that PHI resides.
2. Identify the threats.
Unfortunately, threats are numerous (and growing) and can even be unintentional. Certain groups such as nation states, cyber security criminal organizations, or anyone who wants to abuse a policy will hope to pry out access to patient information.
Additionally, there are internal people doing unsafe things with your data, not respecting policies in place. Even the well-intentioned mistakes by non-malicious insiders are potential breaches.
3. Identify environmental weaknesses.
Do you know who has access to this information? Weak passwords, excessive privileged access, and overextended administrative abilities happen frequently when not monitored. Knowing where your data is key, but knowing who is permitted (and capable) of accessing it is right next to it.
4. Identify likelihood and impact.
This is how you get to your risk levels or risk severity levels. In his book, Eric has matrices (1-5 scale on an x and y axis) to help represent your company’s risk.
5. Establish a framework.
Adopt a security framework. There are companies that specialize in publishing frameworks to aid in security processes. Thoroughly identifying the risk to your company will not only help you adjust an IT view to make preparations and changes to accommodate potential security risks, but also provides a stepping stone in conveying how such risks might adversely affect the company’s success.
People everywhere in every field who have found any comfort at all in their position are adverse to change that will affect their day-to-day responsibilities or threaten an already established solidarity, in whatever form it’s in. Simply put, a paradigm shift is necessary to become adequately compliant now and in the future. This shift will be met with rigidity, but it is in the best interest of the company and the people it serves to overcome this. A stubborn or flexible mindset greatly affects the decision making process.
What if you had the ability to navigate this conversation effectively? It would be easy to fall into a defensive mindset and adopt a similar stance, become equally rigid. However, to have success across all departments within an organization requires some mental flexibility, particularly when it comes to the manner in which we communicate with people outside of our skillset and responsibilities.
Doing nothing is no longer an option. Be on the forefront of that change. What language do the members of your business speak? Translate for them.
Tight budgets are the reality of any business with a bottom line (a.k.a. every business). However, if you look at the average cost of a breach (which could range in the ballpark of $4-10 million), an investigation (3-4 years to close), or the number of man hours lost, it becomes evident that the money you’d be losing is a good comparison against the initial cost.
Help them understand what’s at risk and what you need by being willing to do the extra work. This investment may save you a lot of hardship in the future as well!
The road to compliance is not simple, but it can be less complicated if we are capable of communicating the risks that come from a lack of compliance and the rewards of an initial and proactive investment in quality resources. As breaches and their consequences become increasingly evident, the stakes will rise. We hope for you to be the ones who have seen it coming and did something about it.
This post is based on a podcast interview with Eric C. Thompson, Author of “Building A HIPAA Compliance Cyber Security Program”. To hear this episode, and many more like it, you can subscribe to Defrag This.