Start the Year Strong: Privacy and Security Checkpoints

By Matt Fisher, General Counsel, Carium
Twitter: @matt_r_fisher
Twitter: @cariumcares
Host of Healthcare de Jure#HCdeJure

The turn of the calendar to a new year frequently brings renewed energy and excitement to various activities. While the new energy may feel like it is in short supply given the repetitive feeling for the beginning of 2022 as a result of yet another COVID19 surge, hopefully focusing on something other than the virus can offer a means of creating some of the typical optimistic approaches to the new year.

As should be expected, a strong suggestion for finding a place of optimism is to promote a strong focus on privacy and security for the year and going forward. The ever-present risk of a cyber attack, insider action, or some other form of data compromise should be well known at this point in time. While the risk can never be eliminated, there are ways of reducing the risk and minimizing the likelihood of certain issues arising. Here are some ideas that could help.

Jazz Up Annual Training

Too often the required annual HIPAA training just trots out the same text-dense slides or materials that have been provided year after year. Having been guilty of preparing just such a presentation (and admittedly being somewhat bored by preparing them), going with the same old approach is not an effective means of generating positive feelings about HIPAA or learning about how to help protect sensitive healthcare information.

Instead, try thinking outside of the box this time around. From a personal experience, this writer’s own experience shifted greatly when taking training provided by one HIPAA compliance-focused vendor. The vendor produces a video that is updated each year. The video is slickly produced to draw the viewer in and make the training process less onerous. Additionally, the training also changes the focal issues each year in order to highlight key issues impacting privacy or security.

The more entertaining approach to training can shift feelings toward training and makes the information conveyed more memorable. If people remember the contents better, then attention to compliance should also increase commensurately. It’s a win-win for all.

Do a Network Scan

When was the last time your organization did a comprehensive network scan? While scans can and should be automated to run all of the time, it is also helpful to ensure that the scans are reviewed and any areas of concern get special focus. A solid network scan can maximize the likelihood of finding smaller data leakages that could be the result of either an internal or external attack.

It is firmly acknowledged that network scans can be time-consuming and tedious. Despite that reality, the time is also well spent if an issue can be detected that had been skirting around the edges or can hopefully stop an issue before it arises. Regardless of what happens, a good network scan is an opportunity to explore the network and think about new measures that could be added to improve overall security.

Review Policies

Policies for complying with regulations such as HIPAA should be reviewed annually, though it is easy to let that review slip down the list as higher priority items arise during the course of a year. That is why conducting the policy review at the beginning of the year can be helpful as it’s possible to go through the review before other issues pop up. The review can hopefully be done with relative ease since it should not take too much to go through and make sure that each policy is fully up to date.

What should the review look like though? For one, the review can ensure that there are no inadvertent omissions from any policies. That means confirming if any modifications to regulations from the prior year have been incorporated or if any pre-existing aspect was left out. Further, the review can help ensure that each policy is written in a way that can be easily understood by everyone within the organization. If the police just parrot the language of the regulations, it should be expected that not many will understand what their obligations are under the policy. Once the review is complete, be sure to communicate any changes, which can feed into the annual training as a means of reminding all of what is expected.

Prep Breach Report

For the so-called smaller breaches under HIPAA, the deadline to report is within 60 days of each calendar year ending. While that period only just started to run, it is better to prepare any needed reports early, again before other priorities take over attention. The compilation requires ensuring that all information from the breaches impacted fewer than 500 individuals is available and is accurate. The report is a necessary compliance step and one that also does not need to wait until the fully available period runs. Timeliness is beneficial.

The Year Ahead

Beyond the few steps suggested above to get the year off on a good foot, each organization can identify its own action to set a good tone. The most important consideration is just to think about what can be done to make this a good year from the privacy and security point of view.

This article was originally published on The Pulse blog and is republished here with permission.