Here are 12 steps to fend off cyberattacks and remain HIPAA compliant.
Over the years, I’ve written numerous articles on HIPAA compliance and cybersecurity concerns. And I know that practically the only silver lining in those topics is that what you do to make your practice more secure also tends to make it more compliant with HIPAA.
But what exactly should you do? I suggest following these steps, in whatever order suits you best:
1. Make sure that your policies and procedures appear in written form and that your P&P manual is up-to-date, whether it is one customized by a software vendor or something more generic like the one provided by the ADA. Keep in mind that many off-the-shelf manuals are simply templates: there’s a lot of information you’ll need to fill in. You can’t just buy the manual, stick it on a shelf, and forget about it.
2. Sign Business Associates Agreements. You must have a BAA with every person and company that has access to your data, including, but not limited to, the practice management software company, the accountant, the IT and email providers, the data backup company, etc.
3. Install a ransomware protection tool. Most antivirus software is only mildly effective against the viruses that lock your data and require you to pay a ransom to unlock it. In 2016 the US Department of Health and Human Services determined that a ransomware infection qualifies as a breach, so you should have specific protection against it in place. I recommend Intercept X Endpoint or HitManPro.
4. Establish a good backup and disaster recovery system. As I’ve said before, it should include local and online backup and be encrypted to meet HIPAA regulations. You must also test and verify it regularly.
5. Perform a formal risk assessment and create a HIPAA risk management plan. The assessment should be comprehensive, exploring all aspects of the IT infrastructure, firewall, administration, physical site, etc. A properly performed risk assessment will allow you to create a plan of action. Keep in mind: it’s not enough to have a management plan in place, you must follow through with the items on that list.
6. Invest in a good firewall. It should be customizable so that you can restrict external access to your network and have a logging feature so that you can provide traffic data to HIPAA auditors.
7. Set up 2-factor authentication. This is an extra layer of protection that requires you to provide a second piece of information (in addition to a password) to access a site. For example, if you’re signing in to your bank online, it will text a code to your cell phone that you must enter on the site to log in. The process ensures that you, and only you, have access. Every major secure website should offer this at no charge.
8. Encrypt all the data at rest. Any computer or device, like an external hard drive, that contains electronic protected health information (ePHI) must be encrypted. The good news is that many operating systems—such as Windows 10 Pro and Windows Server 2012 and later—come with Bitlocker, a free built-in encryption feature. If you haven’t set it up before, ask an IT professional to assist you, and document the fact in your HIPAA manual.
9. Use an encrypted email system. Regular email is inherently insecure, and email breaches are very common. A good encrypted email system will protect both sender and recipient, and most cost less than $10 a month per user.
10. Patch software systems on a regular basis. HIPAA requires that you do this, but it doesn’t define “regular basis.” I recommend doing it weekly; security holes are being discovered in most programs at least that often.
11. Install antimalware. There are plenty of decent programs out there, but stay away from the free ones, which often aren’t very good. Make sure your antivirus software includes antispyware.
12. Train your staff on HIPAA. There are plenty of online courses that can be completed in under an hour. Make sure that you document which employees have taken the course in your HIPAA manual.
When should you begin taking these steps? Now. It’s all about the journey, not the destination. Although it can’t be done overnight, there’s no reason to delay because you’ll never get through all 12 in time if you’re suddenly notified of an upcoming HIPAA audit.