When it comes to HIPAA compliance and cybersecurity, the danger comes with thinking one assures the other. It doesn’t. Just skim the daily headlines to know that the risk ransomware and human error bring to sensitive healthcare data proves that HIPAA alone is not enough to protect ePHI. It’s true that HIPAA’s privacy and security requirements underlie the imperative for sensitive data protection. Yet even a healthcare organization with excellent risk management according to HIPAA requirements can carry serious cybersecurity vulnerabilities.
Understand that compliance alone is not sufficient to meet today’s cyberthreats. As a healthcare organization, when hammering home the need for HIPAA compliance, cybersecurity may inadvertently take a back seat, foisted off on the IT department. But once your HIPAA house is in order, you’ll need to go beyond its core to protect ePHI. Check that policies and procedures reflect how you handle data privacy and information security on the people, administrative, technology – including cybersecurity – fronts.
Don’t confuse competent IT knowledge for cybersecurity expertise. If you make the assumption that meeting HIPAA requirements and leaving cybersecurity in the hands of your IT department means you’re on top of ePHI protection, that’s a risky assumption. Cybersecurity is an offshoot of IT and requires specialized training and a systematized approach. Assure that your system framework and tools help you track and manage asset inventories, plus software and security patch installs.
Avoid organizational cyber responsibility silos. Does your product marketing department think cybersecurity is the purview of IT? Or belongs to membership (patient) billing and network administration? That’s a big cyber risk and yet all too common. Sensitive healthcare data protection is every single employee’s responsibility. Integrate the why and how into all aspects of workforce privacy, security and cyber awareness training. Your challenge is to foster a sense of ePHI protection “ownership” that permeates every level of your healthcare organization.
Consider the approach of building upon HIPAA’s framework, integrating your culture of compliance with one of cybersecurity. Recognize that managing both is a perpetual process with many moving parts. You can begin with an examination of your security and privacy framework. Does it address how and what you need to implement a strong cybersecurity program? With the MyVCM platform, you can begin to build and manage both your cybersecurity and compliance programs, with the tools at-hand to meet healthcare data protection challenges.
Not sure where to start?
The NIST Guide can help. We can also provide you with a free copy of Ostendio’s password policy, as an example. Just contact us at firstname.lastname@example.org.
Avoiding the Hidden Pitfalls of Security Audits
In this webinar, see the 5 most common pitfalls of security audits and learn how you can avoid them with the power of MyVCM CrossWalk Assessments.