The Price of Getting Hacked
Your Information Is Safe With Us. ACT Network Solutions will never sell, rent, share or distribute your personal details with anyone. In addition, we will never spam you.
HIPAA protects any combination of something that can identify a patient along with anything related to their diagnosis or treatment. And it does so in any form; written, verbal, or electronic. The Security Rule provides a framework for protecting electronic Protected Health Information (ePHI).
HIPAA compliance was designed to be flexible enough to apply to healthcare organizations of all kinds and sizes. Some HIPAA Security Rule requirements are Required, and others are Addressable. Addressable specifications are sometimes confused as being optional, which is not true.
The US Department of Health & Human Services says:
“a covered entity must implement an addressable implementation specification if it is reasonable and appropriate to do so, and must implement an equivalent alternative if the addressable implementation specification is unreasonable and inappropriate, and there is a reasonable and appropriate alternative.”
Our advice is that if you want to achieve HIPAA Compliance, you must assume that everything in the Security Rule is required. And you should set a very high bar if you decide not to implement an Addressable item.
If you believe that an Addressable specification is not reasonable or appropriate, you must document your decision and hope that it stands up to a HIPAA audit or data breach investigation.
If you don’t understand the terms stated in the Security Rule, you should contact an IT services company with experience in HIPAA Compliance. They can help you evaluate your network and ensure that it complies with HIPAA. When it comes to surviving a HIPAA audit or data breach investigation, you need an IT professional.
Like the specialists, doctors refer patients to, and the tests that they order to see what’s happening under a patient’s skin, your technology must be evaluated by someone with the proper skills and experience who must look deep into your network to identify its strengths and weaknesses.
Make sure that they understand the HIPAA compliance requirements you face, and can demonstrate that skill with relevant professional references.
When you turn on a computer, the first thing you encounter is the operating system, usually Windows or Macintosh. What you may not know is that there are different versions, some with little or no security built in to save costs and keep prices low.
Consumer versions of Windows and Macintosh won’t protect files stored on the device and don’t allow you to securely connect to a network. You need to have a business-class version of the operating system and make sure it’s properly set up to protect stored data and to securely join a network.
This means you should not be buying computers from retail stores that offer low-cost consumer products. Make sure you achieve HIPAA compliance by purchasing professional models with business-class security. Your IT service company can help you select what you require.
Webmail services like G-mail, Hotmail, Yahoo!, and those provided by your Internet Service Provider (ISP) are not secure enough to send Protected Health Information (PHI.) These services don’t provide end-to-end email security, and the vendors will not sign Business Associate Agreements.
In past legal filings Google, the owner of Gmail, said that “a person has no legitimate expectation of privacy in information he voluntarily turns over to third parties.” That should be a Big Red Flag to any HIPAA regulated organization considering their services.
For HIPAA compliance you must use a secure email solution provided by a secure server that you own; a secure cloud-based email or encryption service from a vendor that will sign a Business Associate Agreement; or by using the secure communications tools included in your certified Electronic Health Record (EHR) system.
Faxes are okay between practices and pharmacies unless your system converts the fax into an email, which cannot be sent to a webmail account. Texting using your cellphone carrier’s systems is not secure or HIPAA-Compliant. Never text patient information and make sure that your answering service isn’t texting PHI.
There are two ways to set up a Windows network, a Workgroup or a Domain. A peer-to-peer Workgroup is a loosely connected group of workstations. A Domain is centrally managed and includes security features.
You cannot be compliant with many HIPAA requirements like Information System Activity Review, Unique User Identification, Audit Controls, and Person or Entity Authentication in a Workgroup unless you have a Domain.
You may need to purchase a server, convert your existing server into a Domain Controller, or create a secure network in the Cloud.
A Workgroup is a deal-breaker if you have any protected data anywhere other than your certified EHR system, unless you have another way to log access and retain logs for six years. Keep in mind all the old files that you still must retain.
While encryption is Addressable for HIPAA compliance, if you don’t have it, and a device containing health information is lost or stolen, you must notify the patients and report the loss to the federal government for an investigation.
If a lost or stolen device is encrypted, you don’t have to notify patients or the government. You can purchase encryption for almost every type of computer. You can even buy laptops that automatically self-encrypt when you turn them off or close the lid.
Encryption costs a lot less than patient notification and fines.
Yes, I know they are inconvenient and annoying. However, HIPAA compliance requires audit trails to identify which users accessed patient records. For this reason, individual users must log on and off by themselves, and not allow sharing of passwords or piggy-backing multiple users during a single session.
Automatic logoff is Addressable, but the alternative choices are expensive and very inconvenient. While you don’t have to use Automatic Logoff, the alternative is to NEVER (ever) allow a patient in the room with an unlocked computer. You would either need to have the doctor wait in an examining room for each patient to arrive and stay until they leave, or hire additional staff to NEVER (ever) leave a patient in a room with an unlocked computer.
There are ways to make logging back on more convenient, like fingerprint readers and proximity cards. Accept the fact that you need to have each user login and out, and that automatic logoff must be used. Like airport security, and searches on the way into ball games and concerts, security is a new way of life.
Your network is connected to the Internet by a router or a firewall. A router directs traffic between two networks–your internal network and the Internet.
A firewall includes security features to block unauthorized traffic to achieve HIPAA compliance. A firewall can also filter internet traffic to prevent viruses and other malware from reaching your computers (another HIPAA compliance requirement).
You need a business-grade firewall including the additional subscription-based features to properly protect your network. In 2013, Idaho State University had to pay a $400,000 fine when a firewall stopped blocking unauthorized traffic, and 17,500 patient records were breached.
You can probably figure out that an enterprise-grade firewall costs a lot less than the fine and the cost to notify the patients.
HIPAA compliance requires either a full-time certified staff or a Managed Services arrangement with a professional IT service provider or security consultant. Managed Security Services offer remote continual monitoring and maintenance for your network at a fraction of the cost of paying full-time IT staff.
Networks that meet HIPAA compliance must be configured with security at multiple levels (firewall, PC’s, laptops, tablets, smartphones, and servers). Then they must be monitored and managed to ensure that security is still working.
Managed IT Services use Remote Monitoring & Management tools to continually monitor your network, identify problems before they can result in damage, and keep everything updated with security patches.
When the $400,000 was assessed for the firewall that stopped blocking unauthorized traffic, the HIPAA enforcers noted that the problem wasn’t detected for over 10 months. Proper system activity reviews would have alerted the medical practice much sooner.
A Managed IT Services company would have likely been alerted immediately. Plus they would have a signed Business Associate Agreement, which is also mandatory for HIPAA compliance.
Managed IT Security Services = HIPAA Compliance for healthcare organizations in Chicagoland.
Did you find this article helpful? Check out our Tech Insights.