Share this article on:
This September the Government held the 7th annual conference, Safeguarding Health Information: Building Assurance Through HIPAA Security, in Washington, D.C. The conference was co-hosted by the National Institute of Standards and Technology (NIST), the Office for Civil Rights (OCR) and the Department of Health and Human Services (HHS).
One of the main aims of the conference was to highlight the current state of health information management and to explore the use of information technology in healthcare while ensuring Health Insurance Portability and Accountability Act (HIPAA) compliance. Practical advice and strategies were also provided to streamline implementation of the HIPPA Security Rule.
The HIPPA Security Rule was introduced to set a standard to protect the privacy and confidentiality of patients’ health information. Healthcare organizations and other HIPAA covered entities are required implement appropriate safeguards to protect electronic health information during storage and transit. Appropriate technical, administrative and physical safeguards must be employed to prevent unauthorized access to patient health data.
Conference sessions covered security management, how to improve cybersecurity, risk management and strategies for responding to data breaches. Sessions were healthcare industry focused and the issues currently being faced by organizations trying to ensure HIPAA compliance were explored. Updates were given on the Omnibus HIPAA/HITECH Final Rule, advice provided on data breach management and how to secure mobile devices to ensure HIPAA compliance.
Best Practices to Improve Cyber Security in Healthcare
The conference focused on practical steps organizations can take to improve cybersecurity and ensure compliance with current legislation.
Risk Assessment and Management
In order to ensure HIPAA compliance and prevent unauthorized access to Private Health Information (PHI), a thorough data security risk assessment must be performed. Effective strategies can then be implemented to manage and minimize any data security risks which are found. A recent audit by the Office for Civil Rights recent showed two thirds of organizations had not conducted an adequate risk analysis; a requirement of the Security Rule. Without a thorough assessment it is not possible to implement all appropriate measures to safeguard PHI.
Increased Security Threat in Healthcare Demands Data Encryption
Secure storage and hosting of healthcare data is essential to prevent unlawful access and theft. Throughout the conference panelists highlighted the importance of implementing appropriate cybersecurity measures which should now extend to data encryption due to the high risk of data theft. Data encryption ensures that in the event of an attack data cannot be viewed by unauthorized individuals. Data breaches may not be prevented but the damage caused can be minimized.
Mobiles Devices must be Secured
The OCR highlighted the need for mobile devices to be secured as 60% of all reported data breaches involving 500 or more individuals was due to the loss of laptop computers, tablets, Smartphones and other media containing unencrypted data. Data encryption services for mobiles and laptops could drastically reduce the number of data breaches which are occurring on an almost daily basis.
Data Breach Management
Due to the sophisticated nature of cybersecurity attacks the OCR acknowledged that data breaches are unavoidable and plans must therefore be developed to enable organizations to deal with a data breach. Action must be taken rapidly taken to limit any loss and damage caused. It was also made clear that should organizations fail to take appropriate measures to keep PHI secure they face stringent penalties. The OCR will be conducting audits to ensure HIPAA compliance and panelists highlighted the importance of keeping detailed records on all compliance efforts to avoid a full scale compliance review. It also recommended conducting frequent risk assessments to ensure continued HIPAA compliance.
Effective Compliance Training is Essential
All but one of the 59 companies audited by the OCR that had negative findings was believed to have suffered from inadequate training on HIPAA compliance. It stressed that the only way to ensure full compliance was to provide training to all staff on the importance of data security and to effectively communicate compliance policies and procedures. In order for that to be possible trainers must fully understand all current regulations and their implications for their organization.