As covered previously, it is important to ensure physical data safety, individual device protection, and network protection when meeting HIPAA compliance requirements. There are many methods in place for ensuring this type of protection, but in the rare and unfortunate event that all security protocols and systems fail, the data itself must be protected.

HIPAA’s Data Encryption Regulation

The number one way to ensure that data is protected in the event of systems failure is to encrypt the data. Not only will this ensure that data is not accessed by attackers, it can also help save your employees from potential liability. If employees are required to handle data, it is better for everyone involved if it is properly encrypted. Data encryption practices are also a HIPAA regulation that must be followed by all healthcare providers. HIPAA requires that all data must be encrypted, and that the tool or software used to decrypt information must be kept at a location other than the provider’s office and on a device other than the one that is being encrypted.

Where Data is Circulated

All relevant data and patient health information must be encrypted. While there are many commonly known places that data is circulated, some are less obvious. Data can be circulated through any programs that have full or partial permission to access data, such as a patient database. However, any program or device that comes into contact with the smallest piece of personal health information must be recorded and secured. This includes even small applications used in day to day operations, such as calendar systems, email alert systems, servers, backups, and others. In addition, any data stored in a database or general electronic files must also be encrypted, along with any applications used in accordance with these sources. Any data created in applications, even information such as appointment times and potential notes, must be protected, kept confidential and encrypted.

Type of Encryption

A full-disk encryption is usually recommended for data protection, but there is no specific regulation that specified which encryption method must be used, though this may change in the future. For safety reasons, the industry standard or better is recommended. This means AES 127 or AES 256 or better. Other encryption methods are also available, but are required to be advanced enough to avoid allowing personal health information data to become vulnerable to attackers.

Reporting Misused Data

In the event that information is somehow stolen, the breach must be reported to proper authorities as required by HIPAA regulations. Data can be stolen physically, or by accessing network data through hacking. If proper safety standards are met, the encryption used will stop attackers from being able to access the data. In extreme circumstances, a secure destruction can be used to make stolen data unreadable. Again, if appropriate, advanced encryption is put in place, it should prevent hackers from being able to access personal health information protected through HIPAA regulations.

For more information about encrypting data and HIPAA regulations, please contact tekRESCUE, located in San Marcos, TX.

In our last article, we covered some of the documentation that HIPAA requires you to have in place to ensure quality protection of personal information, and before that we covered antivirus and data protection. Where these two intersect is network security. Anytime something is on a server and connecting to the web, even in a closed system, there is the potential for someone to interfere with the process. Even if it is a network only involving communication between other devices on the network, if one of them connects to the internet, that is a potential vulnerability. These processes need to be routinely monitored. It is extremely important that you ensure HIPAA compliance for your business, as there are a lot of potential problems you can face if you don’t.

Keeping Track of What’s on the Network

We mentioned the fact that you need to have all devices containing personal health information (PHI) documented along with their serial numbers, make/model, and location. This will help with another thing you will need to record—any device that connects to the network, as well as any wireless access points. Protecting sensitive data requires that you record and monitor any and all devices that access the network. This is why HIPAA-compliant organizations generally separate public wifi from the network used to communicate patient data. But if you have a list of all devices that will be used for that purpose, and a list of all devices that access the network, you can easily view any discrepancies, and easily compare them.

Making Sure the Network is Secure

You can minimize the potential problems by running a proper firewall, having the right software to prevent breaches, and constant monitoring. There will be a variety of potential weak points as the data passes among devices, and it is important to know where this data is flowing from. It may, for example, be submitted by email, then sent to the database, or it may be entered manually from a new patient form which is scanned in, then sent to the database, then sent from there to a mobile work tablet, and from there to an email account. As it passes from one network device to another, it is important to be able to make sure nothing goes wrong.

How a Managed IT Provider Can Help

HIPAA-Compliant managed IT providers have the equipment to help you prepare your network safety. They do this several ways, first by running tests on internal and external threats, and automated checks for weaknesses. IT providers will also actively partake in penetration testing, where they will go hands on and try to crack your security, so that they know where any weaknesses lie, and form a solution to deal with them. A good IT company will also record any open ports and network access points, by scanning and making a map of the network essentially. Some of these will be unlikely, and some of these will be very possible, and from there we can prioritize which ones we wish to focus on first.

Having a secure and monitored network is an important part of meeting HIPAA compliance, and there is a lot that goes into it. In the next article, we will cover data encryption, because if(and hopefully it never does), security falls into the hands of an attacker, it is important that it remains useless to them.

A lot of steps go into ensuring HIPAA compliance. One of those is storing the serial numbers of all managed devices and making sure to record everyone who gets on the network. HIPAA, and all of it’s protocols and safeguards, are there to make sure that personal health information stays private, and does not fall into the wrong hands. A large part of that is making sure you correctly document everything that goes into your HIPAA compliance. While you must deal with some of these documentations internally, a managed IT provider can help with most of it. There is quite a number of needed steps to make sure you properly make an inventory.

Documenting Serial Numbers & Other Info

One of these is storing all of the serial numbers and information on devices that will be coming into contact with personal health information. That information includes the make and model of those devices, and the physical location of them. It might sound like a simple request, but it is more than just simply documenting the few work computers you use. Many companies are now using mobile phones to access patient data. If that is the case with your company, you will need to record these mobile devices as well.

Furthermore, even if you just use a device to hand-off data, you will still need to record that device if it could be an access point. According to one recent study, up to 18% of healthcare professionals now access PHI on mobile phones. This list also includes servers, as they are definitely a potential weak point that you and your IT providers need to monitor.

Documenting Where PHI Is Located

Part of recording devices is also recording where the PHI is located, and where it will be. There will need to be a PHI location map, as well as plans in place on how you would deal with a breach, and potential vulnerabilities. These are less strict, but must meet the requirement of reasonable amount of preventative care. You will need to record software as well as a business associate agreement if you work with a managed IT company. This agreement will itemize exactly what permissions your IT managers have as well as their ability to make sure data is being backed up and encrypted, plans to minimize contact with personal data, and plans to destroy any personal data needed to configure problems.

Documenting Business Practices

You will also need to document much of your business practices, including your training plans, and how you properly teach new employees how to handle PHI. Documents should also include what steps you have taken to limit 3rd parties like software companies access to your data, and the specific ways you have minimized exposure. Also needed is a list of any possible vulnerabilities and how you may deal with them, and upgrades to the system you want to make in the future. Finally, you should address any upgrades that you have been needing to make. This should help you fill out any and all future milestones and goals you want to go over in the future.

The Health Insurance Portability and Accountability Act, or HIPAA, was passed in 1996 to ensure the protection of private information, insurance accounts, and regulated practically all personal data created from healthcare activities. Subsequent legislation has also aimed to ensure the protection of the data, such as the HITECH act. There is a long list of requirements for healthcare providers and those who manage the data of those providers, which all revolve around keeping your personal health information(PHI) safe. There are requirements for how you secure your server, your network, user info, encrypting and backing up data, tracking devices used to store information, who can access PHI, manage updates and antivirus, and much more.

How HIPAA Applies to IT Professionals

These requirements also extend to those who manage this data. This means entities like tekRESCUE have to ensure protected status on our end as well, and clearly outline our work to be in compliance with current laws and statutes. We will be going over the specifics of this work as we move through this series. With the nature of this work being something that requires consistency of service and continual monitoring, it is easier to have one company you can rely on. This is why the best route to go to make sure you meet HIPAA compliance is to have a managed IT plan.

Benefits of a Managed Plan

With a managed IT plan, you get one price every month, and weekly (or if needed, daily) monitoring of devices. This monitoring includes assessing network security, encrypting data and monitoring backups, and ensuring everything runs smoothly. And of course, this also includes dealing with various IT issues as they pop up. If you are dealing with issues on-demand, avoidable issues are more likely to pop up. And breaches of security can be costly, both in terms of dealing with them and potential fines for breaching HIPAA. In this first article we will be covering monitoring antivirus status.

What Antivirus Monitoring Means

Antivirus includes other network security measures, not just local antivirus programs that antivirus normally refers to. Local programs are an important part of course, and it is always a good idea to make sure that the software you use is HIPAA compliant.  You should, however, be taking other steps to secure physical points of entry as well as networks on which people can access the devices. The first part of this will be making sure that we implement commercially-viable antivirus software. Also important is routinely monitoring antivirus status, and making sure that all anti-malware and antivirus software are receiving daily to weekly patches.

What About Physical Protection?

For physical protection, it is important to make sure that you are not storing passwords physically or storing any network details in plain sight. It is also important to of course vet any potential employees or companies working with your data, but as well if possible to visually monitor workstations. While you should always take reasonable action to ensure safety, that action isn’t always clear cut. This is why help from specialized professionals is always a good idea.