It’s no secret that the Department of Health and Human Services under the Office for Civil Rights is heavily enforcing HIPAA and entering into settlement agreements for those who egregiously violate HIPAA. And according to the Ponemon Institute, the 2017 average cost of a data breach in the US has risen to a record $7.35 million. The OCR’s goal is not to cause organizational turmoil, but rather they are leading organizations to take security and privacy seriously in an industry where the stakes have hit an all-time high.
Below are steps organizations can take to protect and secure your organization’s ePHI and reduce OCR settlements.
Run Risk Analysis of all systems holding ePHI Position your organization for a strong security and compliance posture by conducting a risk analysis of all systems holding ePHI. A risk analysis looks to where your ePHI is stored and orders the prioritization of systems holding ePHI. With the large number of mergers and acquisitions in the health care industry, coupled with the robust number of cloud applications touching an EMR application, ePHI is difficult to track in today’s digital age. Under the HIPAA Security Rule all applications containing PHI are subject to the HIPAA Laws. Conducting a risk analysis to identify all systems and applications that contain ePHI will allow you to better monitor patient information.
Strengthen identity and monitor To predict and prevent breaches, health care organizations can use behavioral analytics and auditing to ensure the safety of mission critical applications and systems. A recent Verizon study cites that 63% of breaches involve compromised user credentials. Insider threats continue to grow, but now those threats include outside adversaries who have compromised users to gain access to PHI through mission critical applications and systems. To determine what users have access to, perform Access Rights Review and Management including a user inventory of employees, affiliates and vendors. Careless users need to be identified to find out who needs training and who needs sanctioning.
Conduct risk assessments Under HIPAA Regulations, a risk assessment appears under the Breach Notification Rule and is what an entity must conduct to determine the probability of compromised health information. The main goal is to determine whether a breach of ePHI will need to be lawfully reported. The ONC and OCR recently updated their Security Risk Assessment Tool to help guide organizations through the process.
