Preparing Your Practice for a HIPAA Security Assessment

We’ve all seen reports about data breaches, ransomware attacks and other cybercrimes. While no industry is immune to these threats, healthcare practices are particularly vulnerable given the sensitivity of their data. This is why the Health Information Portability and Accountability Act (HIPAA) has established stringent requirements to secure the technology environments of doctor’s offices, hospitals other medical facilities and could impact businesses that handle PHI such as regional Health Information Organizations and clearing houses. And among those requirements is the HIPAA security assessment.

But don’t wait until your assessment to make sure your network measures up. Review your technology environment now, and make improvements before an attack occurs.

What makes a medical practice’s data so tempting for hackers?

When most people think of data breaches, they imagine stolen financial information like credit card and bank account numbers. Hackers can either use this information themselves to make purchases or sell it to other parties.

But a healthcare practice also abounds in personally identifying information (PII) and personal health information (PHI). This includes birth dates, social security numbers, demographic information and details about health conditions. Cybercriminals can use this data to commit identity theft, get loans, fraudulently obtain medical benefits and more.

The versatile earning potential of PII and PHI makes it much more valuable to bad actors. As such, practices are particularly vulnerable to devastating consequences in the event of an attack. HIPAA security assessments are designed to help close the holes exploited by cybercriminals.

How can they get to that data?

Sometimes hackers target your practice itself using their usual methods (various forms of phishing, for example). However, your practice and patient data is also shared with outside vendors, contractors, insurance companies and other third parties. Although they’re handling the data, you’re still legally accountable for its safety. If that third party has ineffective policies and procedures, it jeopardizes the security of this sensitive information.

This puts you and your practice at risk for noncompliance. HIPAA law imposes a number of cybersecurity requirements on any entity subject to its regulations. Violations can result in fines from HHS’s Office of Civil Rights (OCS) — not to mention the impact on your reputation and possible legal action.

What can I do?

Healthcare practices must undergo HIPAA security assessments on their network and systems. While no minimum number of assessments is specified, it’s recommended this be done at least once every two years.

Being prepared for your assessment is an important step in securing your technology environment and your data. This prep starts with utilizing a few sound business technology practices.

Establish HIPAA business associate agreements with vendors

A HIPAA business associate agreement (BAA) is a legal contract that creates a relationship between you and the other party. It establishes how PII can and cannot be used, the liabilities of each party and the consequences of failing to adhere to the contract. A BAA is required if a third party will come into contact with PII or personal health information at your practice.

Conduct a third-party screening before onboarding any vendors that handle your data.

Ensure the contractor is compliant with ISO 27001, PCI DSS, HIPAA and HiTrust frameworks. Interview their leadership, and be aware of several aspects of their operational security. For example make sure they have the following in place:

• A cybersecurity risk management plan – A strategic approach to prevent cyberattacks and data breaches. This will include both prevention measures and their actions in the face of (and after) an attack.
• A computer security incident response team (CSIRT) – A group of employees trained in and responsible for coordinating and executing the response to a cybersecurity event.
• A security-focused service level agreement (SLA) – Outlines the services the vendor or contractor will provide and the standards to which it is held. Make sure the SLA emphasizes security when it comes to your data.

Build your system to meet rigorous industry standards.

As we always say, the best weapon to fight hackers is to prevent attacks in the first place. This includes not only becoming HIPAA compliant, but also adopting National Institute of Standards and Technology (NIST) guidelines such as the NIST Cybersecurity Framework outlined in 800-171. This widely followed standard was created for vendors handling federal data. However, its stringent nature also helps practices better comply with the law and pass a HIPAA security assessment.

NIST has also developed compliance steps to data security, guidelines on secure passwords and more.  Additionally, you can reference this guide from healthIT.gov on reassessing IT security practices in your medical practice. Other certifications include HITRUST and PCI DSS (Payment Card Industry Data Security Standard) from the PCI Security Standards Council.

A big key, however, is enlisting the help of an experienced technology consultant when building and maintaining your tech environment. They’ll have a thorough knowledge and understanding of these complex guidelines, allowing them to be properly implemented from the start. And when they work alongside your healthcare CPA, they can target systems unique to healthcare practices for truly thorough coverage.

Conduct an enterprise-wide risk analysis on your practice.

A HIPAA security assessment is a rigorous rundown of your technology protocols. So performing an analysis beforehand is a wise move that gives your practice a chance to fix issues first. Once again, your technology consultant plays a crucial role here. An expert’s eye can more easily spot possible violations and ensure you’re meeting requirements and best practices.

Your patients trust you with some of their most sensitive information. Honor that trust in a meaningful way by staying compliant and preparing your practice for its HIPAA security assessment.

All content provided in this article is for informational purposes only. Matters discussed in this article are subject to change. For up-to-date information on this subject please contact a James Moore professional. James Moore will not be held responsible for any claim, loss, damage or inconvenience caused as a result of any information within these pages or any information accessed through this site.