Part 4 of 7
Cybersecurity against malicious attacks: Unfortunately, patients’ medical records and personal data are worth money on the black market to identity thieves and hackers. Stolen records can be sold to the highest bidder, who will use the information to open lines of credit, make purchases, or steal a patient’s assets without his/her immediate knowledge. To ensure that there is no open access to this private information, healthcare practices are expected to have security controls in place such as a proper firewall, Intrusion Detection Systems (IDS), and programs with auditing and logging to protect against unauthorized access to Joe’s confidential information. These controls will define the individual(s) who are authorized to view particular information and prevent others who are not directly involved with the patient’s care from having access to view his medical records. Auditing opens a window to track and recognize unauthorized data access or security breaches. It is especially essential to have logging controls in place for other areas where information can also be accessed outside of a medical facility such as a secure patient portal.
Cyber Insurance is added protection that many healthcare organizations purchase today. It is designed to protect them against data breaches; however, it is only effective if the organization has a Compliance Plan in place and is following regulations. Otherwise, full claim payouts may not be guaranteed.
YOUR GOAL IS BREACH PREVENTION
No organization wants to find itself in the position of having to defend a breach. Preventing a breach is ideal and being proactive is necessary. Take these ideas under serious consideration:
• Hire a Managed Service Partner to monitor and manage your IT environment.
• Have regular consultations with a HIPAA knowledgeable attorney.
• Hire a HIPAA Consultant.
• Pay a professional to conduct a Comprehensive Risk Assessment.
• Mitigate the results of a Security Vulnerability Assessment.
• Implement and enforce HIPAA Security Policies/Procedures.
• Get Cyber Insurance and implement a full HIPAA Compliance Program.
• Invest in industry-standard encryption solutions.
• Have an Organizational Policy for addressing and monitoring mobile devices.
• Use Active Directory and Group Policies to enforce User Rights and Security Controls.
• Ensure that medical devices have up-to-date security patches and are malware-free.
• Implement and maintain strong firewalls with subscription services and an Intrusion Detection System (IDS).
• Cultivate a strong, ongoing Security and HIPAA Awareness Program.