There are many different components that go into the updated HIPAA regulation. We’ve talked about all the obvious ones, but what do organizations often times overlook? Here are the top 5.
Encryption– data must be encrypted both in flight (between your user and your database) as well as at rest (as it sites on the disk). This can be done using something as simple as an SSL Certificate for data in transit, an application or database product that integrates with your delivery to encrypt the data before it hits your disk. The bottom line is that all fines and penalties that have been levied thus far had to do with unencrypted volumes. In fact, recently, a large company was levied a hefty $1.7M fine, not because the data was proven to be lost, but because the data was unencrypted. If the data was in fact encrypted, it would not have been considered a breach.
Physical Security in Your Office– Ensuring security around your office is extremely important. That includes employee badges, monitoring guests coming in and out, and locking file cabinets. Many customers come to us with the mind-set that if they move their data to a secure facility like Connectria, then their data is safe. They are correct, Connectria employs many security safeguards to protect our customers, however if a hacker was able to get passwords because you had poor security in your office, that would most definitely count as a breach.
Training– What many companies overlook is that fact that the weakest link in any security plan is the human factor. You can place controls on access to the data, but if employees are taping passwords to keyboards, they are inviting a breach of your data. Employees should be well trained in their responsibilities to protect the data they have been entrusted. The very fact that a person’s most vital personal information is in their care should not be taken lightly. In addition to instructing the employee on the internal controls specific to your organization, reviewing cases where fines and penalties have been levied also helps the employee to understand the real-world application of the safeguards you have in place. (MEEI breach, Blue Cross breach, Cignet breach)
Separate your web/application from your database-This is a general hosting best practice that also applies to HIPAA. All of your Protected Healthcare Information (PHI) is going to be stored in your database and you want to make sure it is separate from the rest of your environment. There are certain ports that you want open on a web server that you don’t want open on a database server, so you have to logically separate those two data points.
Business Associate Agreements-Many people do not realize the importance of the Business Associate Agreement (BAA) or the fact that they MUST HAVE A BAA WITH EVERYONE IN THE CHAIN OF DELIVERY. The BAA sets roles and responsibilities for both the Business Associate and the Covered Entity. In addition, the Omnibus Rule that took effect in March of this year established certain requirements regarding liabilities and Breach Notification. If you are a Software as a Service Provider and you do not have a BAA with anyone connected to your support of your healthcare customers you are out of compliance and will be subject to fines and penalties, regardless of your implemented security controls.
For more information read what government regulations are going into effect September of this year and why some hosting providers may not sign a Business Associates Agreement (BAA).
As always, please let us know if you need any more information or have suggestions for future blog posts at firstname.lastname@example.org.
– David P.