Let’s face it. Security compliance law is a big hot mess. There is no comprehensive law telling you exactly what you should do. And even when you think you have IT Support teams that understand the basics of HIPAA, it isn’t really clear how to exactly implement the right cybersecurity strategies to keep you covered (your patients and staff safe from cybercrime and data breaches).
Even more, complying with both state and federal regulations—which often can be quite different and very specific (if not vague in how to pursue implementation) are little help to an IT Director figuring out what security will actually lead to full compliance (no fines and violations) AND a cyber-secure network.
The problem with HIPAA today?
The document was originally crafted in 1996 (that’s over 20 years old at this point), meaning it is not accurately depicting how healthcare IT has grown and cybercrime has evolved year after year since then.
It’s basically 72,602 words chock full of legal speak, making it annoying for those of us interested in tech to really wrap our heads around (especially since you have at least half a dozen solutions claiming HIPAA compliance, but very few actually guaranteeing anything). On top of HIPAA, you probably have to also consider PCI (that is, if you process credit card charges), along with other agency regulatory oversight makes IT even harder today than it was in 1996.
Why not cut through some of the red tape?
If we were to say, “Okay, we get the basics of HIPAA compliance” and move your IT strategy towards greater cybersecurity, your hospital will assuredly have greater resilience in the current cyber climate and will be able to stay compliant with rules from 20 years ago in the process.
How to stay compliant and secure?
The easiest way to ensure cybersecurity that is compliant is to ascribe to a security framework.
Essentially every security framework should follow the golden standard of data security that we in the cybersecurity field refer to as C.I.A. No, I’m not talking about the government agency. Rather, CIA is the triad for data security. It stands for Confidentiality, Integrity, and Availability.
Confidentiality—you need to preserve restricted access on data to ensure that privacy is maintained. Essentially, you are keeping data out of the wrong hands here.
Integrity—is making sure data isn’t modified or destroyed in any way. You are making sure that it remains accurate and authentic.
Availability—you ensure a means to timely access to confidential data—such that there is no undue delay in being able to access the information.
CIA should be the key motivation to your cybersecurity plan. Your goal: to protect your sensitive data.
To ensure CIA, you probably will need to think about the different ways to control your information environments. Essentially, as outlined in HIPAA, you will need to approach security through technical, physical and administrative protections.
For a quick review on what these controls are:
Technical—making sure you have technology that can keep your data secure (technology which abides to the policies and procedures that are in place to protect your data).
Physical—making sure you are physically protecting information systems and paper-based data from unwarranted access.
Administrative—you are maintaining your systems making sure that your team only has the access it needs to do their jobs (this mainly is to protect the confidentiality of your information).
Most folks believe that security controls are only in place for HIPAA, but these controls are generally accepted across cybersecurity strategies as effective means to keep data secure.
So, how can you implement these controls to effectively protect your hospital?
Consider a cybersecurity strategy. I like to implement NIST-based security. Follow these steps:
Identify—identify the physical and software assets that you want to protect. Identify the specific policies you need to follow (ex: HIPAA network security). Identify your current vulnerabilities and threats (both internal and external) to your environment. Identify and create a risk management strategy, along with your tolerances to deal with your vulnerabilities. Identify a strategy, including priorities, to address any of your security concerns.
Protect—create protections to control both physical and remote access on your network. Create data security consistent with protecting the C.I.A. of your data (see above for an explanation of CIA).
Detect—ensure that anomalies and events are detected. Implement continuous security monitoring to detect cyber threats. Document your processes and create an environment of constant awareness of security issues.
Respond—make sure you have a response plan in the event something were to happen that ensures continuity of your hospital operations. Manage communication during the event and conduct analyses to ensure effective response will be implemented in the event something were to happen (test your plan!). As you test, make sure you improve your response plan as you find gaps.
Recover—make sure your hospital implements you recovery plan—following processes and procedures to restore your assets.
Where do you go from here?
Following this process should get you most of the way to compliance (and comprehensive security). The problem is many folks that say they keep your data secure FAIL to implement solutions that follow fundamental frameworks like NIST’s.
If you’re concerned your network is vulnerable to ransomware and data breaches—this happens even when you pass your HIPAA risk assessment!—contact us for a free second opinion.
