Article by Avatara’s President, Ben Scully, originally published in Electronic Health Reporter.
Changes in healthcare privacy laws will have significant consequences for medical practices. This summer, the National Institute of Standards and Technology (NIST) released a draft of its HIPAA Security Rule guidance, the first update since the guidance’s original landmark issuance in 2008.
It’s sorely needed.
According to a ClearDATA report on the state of cloud security in healthcare providers in 2022, there is a significant disparity in how healthcare leaders assess their organizations’ cloud-based cybersecurity health. Many healthcare providers mistakenly believe their cloud infrastructure is safe and secure when they actually fall well short of the minimum threshold for proper protection against an increasingly risky landscape.
So it’s unsurprising that 2021 saw healthcare organizations weathering the most data breaches since 2009. But with clear instructions and accountability from technology providers, healthcare organizations can protect themselves against cyberattacks.
Guidelines from the federal government are meaningless without careful compliance from each healthcare organization. It’s critical that you review how noncompliance can negatively affect an organization.
Because healthcare organizations may not be fined or directly punished, the potential fallout of noncompliance is easy to underestimate. But threats are everywhere and the chance of a cyberattack is likely. If you are not proactive, you will eventually leave yourself open to a breach — and that attack can come with dire financial consequences.
Organizations that remain vigilant, proactive, and in line with NIST’s updated HIPAA guidelines can lessen their vulnerability to cyberattacks. It requires an expenditure of resources, sure, but that cost should be seen as a critical investment in your organization’s viability and the privacy of your patient data.
Let’s take a look at a few strategies you can use to be proactive in addressing any cybersecurity changes that may be impacted by HIPAA.
- Don’t just meet HIPAA’s new guidelines — exceed them.
Although the recent guidance is welcome, it should only be seen as a minimum when hackers are getting increasingly clever every day.
To fight that, every organization should utilize NIST 800-171 compliance (which the U.S. Department of Defense requires for all contractors) as your security framework. It will require significant resources to achieve this level of compliance, but it is well worth it knowing that you are as protected as you can be.
- Undergo a thorough self-assessment.
Unfortunately, the current draft of NIST’s new guidance does not provide a checklist for HIPAA-regulated entities to follow. Here are some starter questions to ask your IT team and begin your own self-assessment:
- Is our data stored within private SOC 2 Type 2 audited data centers?
- Do we have well-documented security policies?
- How are those policies enforced?
- What is our employee security awareness training plan?
- How do employees securely share files within and outside of the organization?
- Are we using server and edge firewalls, multifactor authentication, and DNS content filtering?
- Are we using endpoint protection to block malicious traffic and data packets?
- Are our DNS web and content filtering system and spam filters up to par?
- What are our policies and tools for secure email encryption?
- Are we using industry-leading, host-based intrusion detection software?
- Do we have a 24/7 security operations team with real-time incident response?
Here’s the key takeaway: Your cybersecurity strategy is just as important as your financial plan.
- Assess your telehealth videoconferencing tools.
Telehealth has become an important avenue for patient care since the onset of the pandemic. It was understandable that, at the beginning of that period, organizations were unable to dedicate significant scrutiny to security in videoconferencing.
But that’s no longer acceptable, with many tools fraught with security problems or flat-out noncompliance. Leading healthcare organizations today have migrated to a comprehensive, high-security IT platform with built-in telehealth and collaboration tools.
- Bring in experts.
Healthcare data security is too important to just hand over to a generalist IT manager. Securing a hybrid cloud requires a lot of expertise.
Blind spots and hidden vulnerabilities can exist within a hybrid cloud infrastructure, leaving well-intentioned healthcare organizations exposed to external data breaches and other nefarious attacks. Private cloud platforms that detect, prevent, and address privacy and security gaps, on the other hand, can serve as a barrier against cyberattacks.
That’s why the person or team leading your cybersecurity efforts needs have an expertise specific to industry compliance and private cloud networks. A sophisticated understanding of healthcare with all its physical assets, such as medical devices, should be a requirement. Make sure that you have an expert manning this key concern.
If you are proactive and follow NIST’s updated HIPAA guidelines, you will greatly reduce your risk of cyberattack. An investment in cybersecurity is an investment in the longevity of your organization and patient impact.