As more hospitals move to electronic cloud-based data storage, the data breach risk for protected patient health information (PHI) becomes even more serious. The Health Insurance Portability And Accountability Act of 1996 (HIPAA) Security Rule was put in place to ensure healthcare providers took the proper measures to protect PHI.

Risk assessments, which are mandated by HIPAA, provide a way for healthcare providers to identify vulnerabilities and measure the impact of potential threats. They also provide actionable steps your institution should take for remediating the potential risks and establishing the proper safeguards for the future.

During risk assessments, some healthcare providers often overlook some important details when it comes to security safeguards, leading them to assume that they are meeting all the requirements for protecting patient health records. Here are five other areas in which safeguards can mitigate security risks in your healthcare organization:

  1. Vulnerability Management. Technical security safeguards are fundamental to HIPAA Security Rule compliance. Often healthcare providers focus on administrative areas (policies and procedures) but overlook technical risks. Scanning computer systems (workstations, servers, printers, routers, etc.) for technical vulnerabilities identifies systems that may be configured insecurely.  Knowing where these issues are helps you develop a plan to plug technical security holes.
  2. Organizational Requirements and Third-Party Relationships. Many reported breaches are actually from 3rd party vendors.  The agreements you have with business associates should have to right language to protect your interests. It’s important to develop a plan for identifying and managing vendors who have access to patient health information.
  3. Incident Response Plans and Programs. An incident response plan is a documented procedure for how a cybersecurity incident will be handled. While the contents may vary from organization to organization, most consist of standard operating procedures, processes, and communication plans. Incident response plans should then be developed into proactive incident response programs that include regular testing and revisions.
  4. Tracking and Remediation. Not only should healthcare providers be tracking risk through assessments, but documenting and tracking remediation activities should also be a priority to remedy any significant risks to your data.  This takes you beyond risk assessment to proactive risk management.
  5. Inform and Involve Executive Management. Because cybersecurity is a relatively new and complex topic, there’s often a disconnect between the boardroom and the server room. For those managing day-to-day cybersecurity tasks and resources, it’s important to help connect what you’re doing to the larger business objectives that senior-level leaders and board directors care about.

An Easy Way to Manage All Areas

Taking all of these areas into consideration can seem overwhelming. But it doesn’t have to be.

With BALLAST, we’ve created a tool to help healthcare providers take a comprehensive approach to risk management. BALLAST goes beyond just assessing risks to patient health records and helps you manage the process of proper remediation.

Want to learn more about how BALLAST can help you protect every system in your practice? Click here to schedule a free demo.

Mark Fulford

Mark Fulford

Mark Fulford, CISSP, CISA, ABCP, CRISC, is a Shareholder in the risk services division of LBMC, PC. With nearly 25 years of experience in information security audit and compliance, Mark understands how to translate technical jargon into actionable intelligence. With significant experience in healthcare, his expertise includes assisting companies with Sarbanes-Oxley, HIPAA & PCI, HITRUST compliance, as well as providing assurance to clients and their stakeholders through SOC 1 and 2 reporting engagements. More recently, his focus has been on helping organizations identify and manage information security risks through both guided and automated risk assessment techniques.