The main focus at the the 7th annual conference, Safeguarding Health Information: Building Assurance Through HIPAA Security held this month in Washington D.C. was to highlight the current state of health information management and to explore the use of information technology in healthcare while ensuring Health Insurance Portability and Accountability Act (HIPAA) compliance.
Practical advice and strategies were also presented at the conference – co-hosted by the National Institute of Standards and Technology (NIST), the Office for Civil Rights (OCR) and the Department of Health and Human Services (HHS) – to streamline implementation of the HIPPA Security Rule.
The HIPPA Security Rule was established to set a standard to ensure the privacy and confidentiality of patients’ health information. Healthcare organizations and other HIPAA covered bodies are required put in place appropriate safeguards to protect electronic health information during storage and transit. Proper technical, administrative and physical safeguards must be used to stop unauthorized access to patient health data.
Conference sessions covered topics including security management, how to improve cybersecurity, risk management and strategies for responding to data breaches. Sessions included were healthcare industry focused and the issues currently being faced by organizations trying to ensure HIPAA compliance were examined. Updates were provided on the Omnibus HIPAA/HITECH Final Rule, advice provided in relation to data breach management and how to secure mobile devices to ensure HIPAA compliance.
Best Practices to Enhance Cyber Security in Healthcare
The conference focused on practical actions organizations can take to improve cybersecurity and ensure compliance with existing legislation.
Risk Assessment and Management
In order to ensure HIPAA compliance and stop unauthorized access to Private Health Information (PHI), a thorough data security risk assessment must be completed. Effective strategies can then be put in place to manage and minimize any data security risks which are found. A recent audit by the Office for Civil Rights recent revealed two thirds of organizations had not completed an adequate risk analysis; a requirement of the Security Rule. Without a thorough assessment it is not possible to apply all appropriate measures to safeguard PHI.
Heightened Security Threat in Healthcare Demands Data Encryption
Secure storage and hosting of healthcare data is vital to stop unlawful access and theft. Throughout the conference panelists highlighted the importance of implementing appropriate cybersecurity controls should now extend to data encryption due to the high risk of data theft. Data encryption ensures that in the event of an attack data cannot be seen by unauthorized individuals. Data breaches may not be stopped but the damage caused can be lessened.
Mobiles Devices must be Secured
The OCR stressed the requirement for mobile devices to be secured as 60% of all reported data breaches involving 500 or more people was due to the loss of laptop computers, tablets, Smartphones and other media containing unencrypted data. Data encryption services for mobiles and laptops could minimize the number of data breaches which are happening on an almost daily basis.
Data Breach Management
Due to the sophisticated nature of cybersecurity attacks the OCR acknowledged that data breaches are not alway preventable and plans must therefore be developed to enable organizations to react to a data breach. Action must be taken quickly to limit any loss and damage caused. It was also made clear that should organizations not take appropriate measures to keep PHI secure they face heavy penalties. The OCR will be carrying out audits to ensure HIPAA compliance and panelists emphasized the importance of keeping detailed records on all compliance efforts to avoid a full scale compliance review. It also recommended completing frequent risk assessments to ensure continued HIPAA compliance.
Effective Compliance Training is Vitally Important
All but one of the 59 companies audited by the OCR that had negative findings was thought to have suffered from inadequate training on HIPAA compliance. It highlighted that the only way to ensure full compliance was to provide training to all staff members on the importance of data security and to effectively relay compliance policies and procedures. In order for that to be possible those conducting the training must fully understand all current regulations and their implications for their organization.