As we noted previously, there are numerous requirements for HIPAA compliance. A top priority after the risk assessment is cyber security to prevent and detect cyber breaches.
In this age of data breaches – from cyber breaches to equipment theft/loss, addressing the issue of continuous monitoring of your network and your networked devices might be the second item to address on your list of HIPAA compliance activities. The Office of Civil Rights (DHHS) states that security is now 80% of the requirements of compliance and protecting the PHI is the goal.
The key to preventing a serious/significant PHI/ePHI data loss is to quickly identify and remediate data breaches. The quick identification of a breach in any of its forms is the most important aspect of securing your data. Most cyber thieves need time to attack and get into your systems and equipment; even more time to root around in your networks and files looking for valuable data; and then even more time to collect and distribute the stolen data. Anything that reduces these time frames lessens the potential damage due to data theft.
Begin with a Weekly Review of your systems and software for Unauthorized Changes (or authorized changes that did not occur). Early detection of unauthorized changes to your systems, software, and equipment can reduce the impact of malicious software code (malware) might have on your valuable ePHI data.
A Weekly Review of your systems and equipment compliance profiles can also reduce your vulnerability to outside attacks. This process strengthens your system and software against any future attacks by continuously maintaining compliance standards.
Regular Inventory reviews of all computer-related equipment is necessary to identify any theft, loss, or new additions to your network. If you do not know what equipment you have, you certainly cannot know what information you might have lost. Likewise, new equipment on your networks that is not properly configured can leave you vulnerable to breach attacks.
Continuously monitoring your systems and computer equipment will allow you to quickly identify any anomalies and proactively address any irregularities, thereby protecting your valuable ePHI data.
To address these issues, Third Rock offers Third Rock Assurance™, which provides continuous monitoring of your networks and networked devices. All types of devices (servers, desktops, network devices, databases, storage systems, virtualization infrastructures, and mobile devices ) can be monitored for vulnerabilities, compliance, and changes (authorized and unauthorized), which can be scheduled to run nightly, weekly, or monthly. Go to https://thirdrock.com/compliance-solutions/continuous-compliance-monitoring/ for more information about continuous monitoring.
If you are interested in knowing where to start, try Third Rock’s HIPAA Quick-Check (http://cyberquickcheck.com/), which is a mini-risk assessment that will let you know very quickly your level of HIPAA compliance.
Articles in the series:
- How to get Started: Risk Assessment
- Breach Detection
- Education