This article is the third in a three-part series from Third Rock, a leading HIPAA Compliance and Risk Management provider, describing various methods to help protect your healthcare organization from breaches, and cyber-breaches in particular.
Last week, we highlighted the financial impact of a cyber-breach for a healthcare organization and why it is so important to protect your data from breaches. Today’s article will look at the two most significant approaches towards protecting your organization from costly breaches – Prevention and Detection.
Preventing a Breach lays the groundwork for protecting valuable Protected Health Information (PHI) and ePHI, by taking proactive steps to prevent breaches from taking place altogether. The more effort undertaken to fortify your defenses reduces the potential of costly breaches later on. Here are some actions to take that can help your organization prevent a breach from taking place:
- Completing the required Annual HIPAA Risk Assessment is the first step in protecting your organization from a breach. This process performs two critical tasks – first, it identifies all PHI, where it is stored and how it is transmitted and secondly, the Risk Assessment identifies weaknesses or vulnerabilities that may exist in both the electronic and physical worlds. Deficiencies in your defenses are then prioritized and then your team can begin to remediate them in a logical and efficient manner. In fact, the Office of Civil Rights (OCR) of the Department of Health and Human Services, states that the annual risk assessment is the first thing they look for in an audit or a review of a breach.
- Creating Useful and Useable Policies and Procedures that reflect the most current HIPAA Privacy and Security regulations and that are based upon how your organization does business. They should also be written in an easy to understand format so your employees can understand and implement them. If these two requirements are not met, they will not be adopted and implemented successfully, leaving your business vulnerable and non-compliant.
- Incorporating Practical and Up-to-date Training, which is required by HIPAA Privacy and Security rules, enables staff to learn the current requirements pertaining to HIPAA Privacy and Security regulations, thereby further protecting PHI and ePHI in the workplace.
- Encrypting Data, both at rest and in motion, prevents breached data from being recovered by cyber thieves since the breached data is rendered as unreadable without the correct encryption “key.”
- Using Security Software (Norton, McAfee, ESET, etc.) to help prevent malware, phishing, viruses, and other computer vulnerabilities from entering your computer systems and devices.
Unfortunately, breach prevention activities are not enough. As recent headlines have shown, cyber-breaches are happening with greater frequency and voracity. Should a breach occur, Detecting the Breach in a timely manner becomes the key factor in mitigating any damages due to the breach. The sooner you can detect and correct the breach, the greater your protection of PHI and ePHI.
All types of devices (servers, desktops, printers, network devices, databases, storage systems, virtualization infrastructures, mobile devices, etc.) need to be regularly monitored for vulnerabilities, compliance, and changes (both known and unknown).
- Vulnerability Assessment provides detection and reporting of known vulnerabilities on your systems that have not been corrected. Software hackers continually search for ways to penetrate computer defenses and a vulnerability assessment hardens your defenses against such attacks.
- Continuous Compliance includes policies that you can use to ensure continuous compliance with regulatory standards such as HIPAA, PCI-DSS, NIST 800-53, SOX, NERC, and FDCC.
- File Integrity Verification is a fast and reliable process to verify the software deployed on your systems is valid, current, and properly deployed, and has not been infected or altered by malicious software. It also identifies any software that should not be on your network.
The use of such Breach Detection Tools both hardens your computer system’s defenses making your systems less likely to be compromised, and greatly reduces detection time if a breach should occur. These tools provide exceptional visibility and reporting into the compliance and security of your computer systems network, which significantly reduces your organizations liabilities.
In order to help your organization reduce the possibility of being breached and limit the financial impact if breached, Third Rock is offering a Free Cyber Security/Breach Assessment for the first 50 organizations that contact us. All we need to know is the name of the healthcare organization and the contact information for the individual(s) responsible for HIPAA/Information Technology compliance. Send this contact information to info@thirdrock.com or call us at 512-310-0020.
For more information on Third Rock’s Worry-Free Compliance, please visit us at www.thirdrock.com.