The days of having your computer work done by your friend’s nephew or the neighborhood fix-it guy are over. Your IT professional needs to be well versed in HIPAA. They also need to be motivated to keep up with the changing threat environment. It can literally save you millions of dollars and sleepless nights.
Now that your protected health information is stored on computers you are vulnerable to hackers and other cybercriminals. Your system needs to be protected as diligently as possible. This used to mean you needed individual passwords, a firewall, and a virus protection package. That is still important, but it is not enough. As you grow and add technology your firewall and virus protection needs to grow with you and be constantly updated. Tools such as Active Directory should be included to control who has access to what systems in addition to individual passwords.
Mobile devices like laptops, tablets, and smartphones have also brought new problems to the workplace. Smart medical devices that store data like digital x-rays and ultrasounds must be protected. Transmissions and data streaming for billing, prescriptions, Health Information Exchanges (HIE) and system backups, can create vulnerabilities. Remote access by employees add more potential points of error and attack. A good IT company can help you build a tightly controlled system.
Your system must be monitored constantly. Your IT company can help you develop safeguards, alerts, and audits. These are vital to your information protection as they allow you to identify threats and respond quickly. An important part of any systems maintenance must be a good Risk Analysis to identify potential problems. These problems must then be addressed by developing a Corrective Action Plan (CAP) that is followed and documented. Your IT partner can help you identify your risks and recommend and help implement solutions. Not having a Risk Analysis of your current system and an active CAP is the number one reason for large fines and settlements from HHS. Don’t forget that a good Risk Analysis and CAP needs to include your paper, physical safeguards and termination processes too.
Building and/or maintaining a good system is great but no system is totally secure. Finding out how quickly your IT people can respond to a threat is best-done upfront than in the middle of a crisis. A client recently had a great demonstration of that issue. Ransomware is a rapidly growing and devastating attack. In a ransomware attack, the cybercriminals insert a virus that usually doesn’t penetrate your system but instead adds a layer of security on top of yours. This prevents you from accessing your own systems. HHS has stated that if you can’t access your patient information in a timely manner then it is a breach, usually involving all your patients past and present. The client’s IT company had them up and accessing records within 2 hours and operating in real time before the next business day thus preventing a breach that could have cost them greatly in time, reputation and money.