COMMENTARY
Mike Semel
Semel Consulting
HIPAA Compliance Tech Tips Part 2 (for the first of this 2-part series click here)
More critical components of a HIPAA compliant computing environment…Encryption.
While encryption is Addressable for HIPAA compliance, if you don’t have it and a device containing health information is lost or stolen, you must notify patients and report the loss to the federal government for an investigation. If a lost or stolen device is encrypted you do not have to notify patients or the government. You can purchase encryption for almost every type of computer. You can even purchase laptops that automatically self-encrypt when you turn them off or close the lid. In 2012 a state health department paid a $ 1.7 million penalty for a lost unencrypted hard drive. A hospital paid a $ 1.5 million fine for a lost unencrypted laptop. Encryption costs a lot less than patient notification and fines.
Passwords and Automatic Logoff
Yes, I know they are inconvenient and annoying. However, HIPAA compliance requires audit trails to identify which user accessed patient records. For this reason individual users must log on and off by themselves, and not allow sharing of passwords or piggy-backing multiple users during a single session. Automatic logoff is Addressable, but the alternative choices are expensive and very inconvenient. While you do not have to use Automatic Logoff, the alternative is to NEVER (ever) allow a patient in the room with an unlocked computer. You would either have to have the doctor wait in an examining room for each patient to arrive and stay until they leave, or hire additional staff to NEVER (ever) leave a patient in a room with an unlocked computer. There are ways to make logging back on more convenient, like fingerprint readers and proximity cards. Accept the facts that you need to have each user log in and out, and that automatic logoff must be used. Like airport security and searches on the way into ball games and concerts, Security is a new way of life.
Firewall
Your network is connected to the Internet by a router or a firewall. A router directs traffic between two networks—your internal network and the Internet. A firewall does the same, but includes security features to block unauthorized traffic to achieve HIPAA compliance. A firewall can also filter Internet traffic to prevent viruses and other malware from reaching your computers (another HIPAA compliance requirement.) You need a business-grade firewall including the additional subscription-based features to properly protect your network. Recently a $ 400,000 fine was paid when a firewall stopped blocking unauthorized traffic and 17,500 patient records were breached. You can probably figure out that a firewall costs a lot less than the fine and the cost to notify the patients.
Professional IT Staff or IT Managed Services
While it may seem like fun for a doctor to manage your network in his spare time, or a good role for his nephew, brother-in-law, or neighbor who can set up a home network, HIPAA compliance requires either a full-time certified staff or a Managed Services arrangement with a professional IT service provider. Managed Service Providers (MSPs) offer remote services that continually monitor and maintain your network at a fraction of the cost of a full-time IT staff.
First, networks that meet HIPAA compliance need to be configured with Security at multiple levels in mind (firewall, PC’s, laptops, tablets, smart phones, and servers.) Then they must be monitored and managed to ensure that Security is still working. IT Managed Service providers use remote monitoring and management tools to continually monitor your network, identify problems before they can result in damage, and keep everything updated with security patches. When the $ 400,000 was assessed for the firewall that stopped blocking unauthorized traffic, the HIPAA enforcers noted that the problem was not detected for over 10 months and that proper system activity reviews would have alerted the medical practice much sooner. A Managed Services provider would have likely been alerted immediately. Make sure any outsourced provider signs a Business Associate Agreement and implements a HIPAA compliance program. Managed Services = HIPAA Compliance.
Mike Semel is certified in HIPAA and has been the CIO for a hospital (Covered Entity) and has provided IT support for healthcare providers (as a Business Associate.) This article was originally published on 4Medapproved.com/HITSecurity.