Today’s climate of healthcare cybersecurity risks has many organizations feeling vulnerable and ill-prepared to address the daily threats and ongoing compliance requirements. That feeling is magnified as even stricter data protection measures are moving forward (for example, in Washington state).
The U.S. Office for Civil Rights (OCR) notes that many — if not most — healthcare organizations struggle to effectively manage cybersecurity. The OCR reports that organizational failure to conduct an accurate and thorough risk assessment and analysis is one of the most frequent violations of the HIPAA Security Rule (based on fines and resolution agreements).
Update to Health Sector Cybersecurity Framework Implementation Guide
In March 2023, the Administration for Strategic Preparedness & Response (ASPR) issued an update to the Health Sector Cybersecurity Framework Implementation Guide. In addition to risk analysis, the update highlights the importance of a broader, more collaborative approach to risk analysis that will enhance the ability to effectively identify and manage organizational risk, safeguard patient privacy, and protect business value.
Protecting Patient Information From Healthcare Cybersecurity Risk
There isn’t a one-size-fits-all solution to healthcare cybersecurity risk due to the complexity of HIPAA compliance and the overwhelming need for improving cybersecurity preparedness. There are distinct advantages to sharing patient information, but it means everyone in the healthcare organization plays a role, including compliance teams. Below, find three key compliance activities that help protect patient information.
1. Provide Staff Training
The HIPAA Security Rule requires covered entities to maintain reasonable and appropriate administrative, technical, and physical safeguards for shielding electronic protected health information (ePHI). This includes ensuring compliance by their workforce. Many healthcare compliance teams require training related to cybersecurity to document their efforts.
Using an online learning management system, healthcare organizations can greatly simplify training assignment, completion, and reporting. When choosing a compliance learning provider, ensure the courses will meet established standards and that there are a variety of training options. MedTrainer offers a four-course microlearning series (each course is 10 minutes) on the following topics:
- The HIPAA Security Rule
- Cybersecurity & HIPAA: Electronics and Cloud-Based Systems
- HIPAA Compliance & Cybersecurity: Protecting PHI
- Cybersecurity & HIPAA: Ransomware, Phishing, and Cyberattacks
2. Collaborate to Identify Risk
As explained in the Health Sector Cybersecurity Framework Implementation Guide updates, staff can provide excellent perspectives regarding cybersecurity risk at the point of care. By including a wide range of employees in your risk analysis, you can more easily identify healthcare cybersecurity risks. For example, employees can point out on computer screens where protected health information (PHI) can be seen by patients. It’s a simple fix to add a privacy screen, but you can’t fix what you don’t know about.
3. Conduct a HIPAA Security Risk Analysis (SRA)
The HIPAA Security Rule requires covered entities to conduct a risk assessment of their healthcare organization. Plus, all providers who want to receive electronic health record (EHR) incentive payments must conduct a risk analysis. The Security Risk Analysis (SRA) will reveal which improvements are urgently needed in order to enhance cybersecurity and staff awareness.
You can conduct a full SRA when you adopt an EHR, and thereafter, annually review and update the prior analysis based on changes in risks. Providers are able to conduct this assessment on their own using an online self-assessment tool. MedTrainer has incorporated the SRA into its platform so you can keep all your compliance information in one place. There is also a 15-minute training available through MedTrainer Learning.
Tips for Conducting an SRA
The first time you conduct a Security Risk Analysis (SRA), it may seem a little difficult to answer each question with 100% confidence — but that’s alright. Getting through the process for the first time is a great starting point. The SRA provides the framework for understanding Vulnerabilities, Threats, and Risks applicable to your organization. The intent of the SRA is to perform an analysis on an annual basis or anytime there is an incident or new threat discovered.
The SRA begins with answering basic questions about your organization and ensuring that you have identified all of the equipment that is capable of receiving, storing, and transmitting ePHI.
Why is this important? Computers, servers, fax machines, copiers, and many types of medical equipment can store PHI.
TIP 1: Keep an inventory of all electronic equipment and maintain a system to identify and manage all electronic equipment from the point of entry, how it is secured, assigned, and ultimately disposed.
TIP 2: If personal smart phones and tablets are used by providers or staff, make sure to have clear policies on accessing, storing, and sharing PHI.
TIP 3: A trusted service that has actual or potential access to PHI should always have a written Business Associate Agreement (BAA) and transparency regarding how the business associate (BA) will protect PHI. Proper staff training at both organizations will help to create awareness and accountability.
TIP 4: BAs should be ready and willing to verify that staff have been properly trained and that access to systems and equipment are monitored to ensure patient information is used for the intended purpose. BAs are directly liable for breaches.
TIP 5: MedTrainer’s Documents and Policies Management tool is a great mechanism to ensure that HIPAA Security policies are acknowledged and supported by the educational content in MedTrainer Learning.
The risk analysis must take into consideration how PHI is received, stored, and transmitted. An SRA with a score indicating high-risks and vulnerabilities should be taken very seriously. While it’s common for healthcare organizations to have “trusted vendors” that provide equipment or IT services, the SRA may reveal inadequate computer systems, questionable user activity, unconfirmed identities, or unsecure connections between the IT infrastructure and devices.
Once you have completed the SRA, it is important to share it with the appropriate stakeholders and elicit feedback on closing operational gaps to decrease potential vulnerabilities. Making sure that the organization has policies in place as a result of the SRA findings, will help to facilitate a culture of compliance and awareness. This is key to being prepared and knowing how to recover from both natural and man-made (cybersecurity) disasters, should they occur.
Reducing Healthcare Cybersecurity Risk
Healthcare organizations are targeted by cyberattacks because of the volume and value of the information they possess. The compliance team plays a key role in mitigating the risk with planning and training. Use the updates to the Health Sector Cybersecurity Framework Implementation Guide as an opportunity to review your processes, complete an SRA, and ensure HIPAA-related training is up-to-date for all providers.
Imagine the impact of sharing the SRA with everyone in the organization to develop location-specific job aides, simple reporting instructions, and staff engagement on a whole new level!