HIPAA Is Not One-Size-Fits-All
HIPAA Is Not One-Size-Fits-All

HIPAA regulations have continued to challenge healthcare organizations across the country, exposing major cracks in the foundation of healthcare data security processes. Healthcare organizations have the greatest number of data security challenges of any industry, as the top target for cyber attacks with highly complicated healthcare networks, a growing amount of electronic healthcare records and an increasingly mobile workforce.

Every day data moves between doctors and nurses inside the hospital, outsourced diagnostic services, pharmacies, labs, billing services, insurers, business associates, community nurses, home healthcare providers, rehab centers, clinics… the list goes on. Electronic patient information is communicated via LAN, WAN and through all forms of wireless devices, from laptops to smartphones to specialized handheld medical information devices.

In a new article on mHealthNews, With HIPAA, one size does not fit all, I talk about the challenges of managing this flow of data while meeting the complex, and sometimes vague, requirements of HIPAA where penalties for non-compliance can be devastating to an organization. I talk about steps and factors a healthcare organization can take to be compliant including:

  • Conducting a security risk assessment (SRA), possibly with the help of the online HIPAA SRA tool
  • Understanding security as a dynamic process with layers of defense going up (think of it as building a wall while cybercriminals try to extend their own ladders)
  • Extending information access and policy enforcement to parents, service providers and suppliers
  • Regular audits of controls to ensure continuous protection
  • Developing a breach response plan

HIPAA does not lay out specific technology requirements, but rather a set of principles for guiding these choices based on individual risk requirements. The custom solution should always take a layered approach – layering security technologies means that if one technology is compromised or breached, another layer of protection is in place to compensate. For example, encryption on the endpoint is a key security protocol and is one of the criteria for Safe Harbor.

As I note in the article, healthcare organizations cannot afford to put all their eggs in the encryption basket. Last year, 78% of breached healthcare records were attributed to lost or stolen endpoints – many of which were unencrypted – either accidentally or knowingly. A persistent endpoint solution such as Absolute DDS is the perfect complement to encryption, as it can help healthcare organizations ensure and prove compliance with key HIPAA security regulations. If a healthcare provider’s IT department has a persistent connection to all managed devices – on and off the network – they can remain in control, even if the device is in the hands of an unauthorized user.

Here at Absolute, we recently launched Absolute DDS for Healthcare, a comprehensive onboarding program that pairs the highest level of endpoint security with expert forensic support to respond to and contain security incidents. Learn more at Absolute.com

ABOUT THE AUTHOR

Stephen Treglia

Stephen Treglia was Legal Counsel to Absolute and oversaw more than 40 investigators and data analysts. Previous to this, Stephen concluded a 30-year career as a prosecutor in New York, having created and supervised one of the world’s first computer crime units from 1997-2010. Stephen is a renowned nationwide lecturer, teacher and writer on a variety of legal topics.