Over the past year, reports of Protected Health Information (PHI) breaches, ransomware attacks and hacking of healthcare software systems/applications have increased. Due to the uptick in potential breaches and threats to PHI, the Office of Civil Rights (OCR) has also increased its efforts to ensure healthcare organizations have the appropriate technical, physical and administrative safeguards in place. A recent high profile enforcement action involved Advocate Health Care paying OCR $5.5MM to resolve more than one data breach including stolen, unenrypted laptops and hackers gaining access to a Business Associate’s network that contained Advocate PHI.
Does your organization have the appropriate safeguards in place? If your organization does not comprehensively conduct each of the following related to privacy and security, your organization could be at risk.
- Risk Assessment – Identify, prioritize and mitigate risk. In July of 2016, the OCR Director called risk assessments and risk management plans the “cornerstones of HIPAA Security Rule.”
- Policies and Procedures – Provide guidance to employees and contractors on their compliance obligations under the HIPAA privacy and security rules. Provide guidance around your identified risks!
- Auditing and Monitoring – Crucial to knowing whether the infrastructure in place is mitigating risk and if your biggest risk, people, comply with provided education and guidance.
- Vendor Protocols – Know your Business Associates (BA)! A BA Agreement is not enough – identify high risk BAAs, audit and educate.
- Vulnerability Testing – How secure is your network and IT assets? Could someone easily penetrate your system? To mitigate risk you have to know your vulnerabilities – conduct annual penetration or vulnerability tests.
- Training and Education – Keep employees and contractors informed and up-to-date. Our people pose our biggest risk – the more education and guidance the better.
Be proactive and ensure your organization is protected. For more information on Provident’s HIPAA Privacy and Security Compliance Assessments, email firstname.lastname@example.org.