In its August 2021 Healthcare Data Breach Report, HIPAA Journal notes a 44 percent increase in healthcare data breaches in the month before the report was published. And a quick scan of reported healthcare breaches currently under investigation by the U.S. Department of Health and Human Services lists a breathtaking 837 cases as of this writing. The list also clarifies that there aren't any "safe" healthcare segments, running the gamut from CVS Pharmacy to a two-person optometrists' office in rural Pennsylvania. But it gets even worse. The Ponemon Institute’s Cost of a Data Breach Report 2021 says healthcare has experienced the highest industry cost of a breach for 11 consecutive years. The average cost? A whopping $9.23 million in 2021, a 29.5 percent increase year over year. Suppose you don't want your institution to be another data breach statistic. Then you need to understand what should be covered in a cybersecurity checkup so you can put solutions in place that protect your digital infrastructure.
Understand HIPAA Compliance Requirements
There’s a lot at stake when it comes to protecting your patients’ data. The HIPAA Journal offers a compliance checklist that will help you understand where your responsibilities lie, broken down into three areas:
Technical Safeguards
The introduction to the technical safeguards section of the HIPAA Journal notes that electronic protected health information (ePHI) must be encrypted to National Institute of Standards and Technology (NIST) standards once it travels beyond your organization’s internal firewalled servers. Here are the other technical safeguards that you need to include:
- Implement a means of access control
- Introduce a mechanism to authenticate ePHI
- Deploy tools for encryption and decryption
- Introduce activity logs and audit controls
- Facilitate automatic log-off of PCs and devices
Physical Safeguards
Protecting ePHI also focuses on physical access to patient data, whether stored in a remote data center, a cloud, or on-premises. The rules even cover how workstations and mobile devices should be secure against unauthorized access. These physical safeguards include:
- Facility access controls
- Policies for the use and positioning of workstations
- Policies and procedures for mobile devices
- Inventory of hardware
Administrative Safeguards
These safeguards cover the policies and procedures that include both patient privacy and data security. It's important to note that these safeguards require a security officer and a privacy officer be assigned to put in place the measures to protect ePHI and govern workforce conduct. The introduction for this section notes that a HIPAA-compliant risk assessment is a regular task that is required to ensure continued compliance. Other administrative safeguards include:
- Conduct risk assessments
- Introduce a risk management policy
- Train employees in security
- Develop and test a contingency plan
- Restrict third-party access
- Report security incidents
Assess Your Security Posture, Then Make a Plan
Ensuring compliance starts with assessing your current security policies, procedures, and technologies. Watching these security risk assessment videos from HealthIT.gov is also a good starting point for gaining a basic understanding of what’s required. It can also be worthwhile to look to an outside vendor or solution provider for this service, as they should bring an objective view and deep expertise in cybersecurity, especially for healthcare organizations. You then need to implement your plan, addressing every HIPAA compliance requirement.
Data Protection Solutions That Support Compliance
While you’ve got plenty to handle to ensure full HIPAA compliance, Arcserve has simplified one aspect for you: data protection. Arcserve helps you meet strict regulatory mandates with offerings that include Arcserve Unified Data Protection (UDP) secured by Sophos. Arcserve UDP gives you comprehensive data protection and cybersecurity for your critical backup infrastructure, along with orchestrated recovery to reduce recovery time objectives (RTOs) and recovery point objectives (RPOs) to minutes and validates service level agreements (SLAs) with Assured Recovery™. Watch an on-demand demo to learn more about Arcserve UDP.
