It’s an easy trap to fall into. You haven’t been hit with any fines or warnings about HIPAA Compliance violations in all your years of operation, so you must be all set, right? Unfortunately, even the most HIPAA Compliant Providers might be falling short and not even know it. This is especially apparent as the country continues the push towards digitization. Organizations that have been handling paper records for years know the policies and procedures they need to follow in order to protect patient data, but as we trade physical for digital, there are numerous issues that can affect even the most experienced provider. You might think your organization will stay safe as long as you don’t go digital, but that will only hurt your productivity and market share. The move to Digital is well underway and it will hurt more getting left behind then the cost of the transition.
To ensure the transition is as smooth as possible, or to validate your current IT Infrastructure Compliance, it is best to work with a reputable provider of Healthcare IT Solutions. If that is not something you are ready to pursue at this time, these are some guidelines to follow to ensure that you keep PHI as safe as possible.
One of my previous employers in the Healthcare Industry was a relatively small Non-Profit focused on Mental Health. While they had their I’s dotted and t’s crossed when it came to Physical PHI Safeguards, Digital Records were left more vulnerable than many Executive Managers realized. The most glaring issue was a lack of a central User Identification system. Like many small businesses that are growing, they went out and bought computers for their staff to utilize. What they didn’t do, however, was implement a secure and centralized User Identification System and instead set up each computer individually with default (easy to guess) passwords that remained the same for years, even when an employee using the computer separated from the organization. All of these Computers had PHI on them in one form or another, and all it would have taken was 1 accident or malicious employee to garner thousands of Dollars in HIPAA fines. Had a central User ID System been implemented, like Active Directory or Amazon Identity Access Management with Workspaces, for example, this could have been avoided.
When dealing with ePHI it is crucial that the data is encrypted in-transit and at rest. While this is not a strict HIPAA requirement, it will save your organization the headache of dealing with a Breach Disclosure and Audit. Encrypting your ePHI will ensure that even if a device containing PHI is lost or stolen (or a malicious Cyber Attack takes place) there is still an additional layer of security protecting the data. On a similar note, it is important that your Network is secured in multiple ways such as up to date Anti-virus software and Firewalls.
An often overlooked method of securing ePHI is the compartmentalization of the data from other aspects of your organizations IT Infrastructure. Setting up your network with a provider like Amazon Web Services makes it simple to provision Virtual Private Clouds that can be tasked to deal with specific types of data. One of your VPC’s can be set to only deal with PHI and not let the data flow to another VPC. This VPC would be tasked with the Storage and Processing of ePHI, while your other VPCs can operate normally without the fear of accidental ePHI Breaches.
If you are still working with an On-Premises IT Solution, you need to be sure that your IT department is ensuring that all PHI is processed on stored on compartmentalized servers that are completely separated from other aspects of your network.
Remember, not only would a breach negatively affect your Finances and Reputation, it will also leave vulnerable the same patients you are working to protect. If you are a small healthcare provider early in their operations, this is the best time for you to build a solid IT Infrastructure that will stay HIPAA Compliant as you grow. This will save you a serious amount of tech debt that you might incur if you wait until you are a large provider to begin correcting the Compliance shortcomings of your Infrastructure.
If you don’t have the time or resources to devote to cybersecurity that an established provider might have, reach out to us at Dunwich Technologies for a free consultation. We will take a look at your current IT Operations and Infrastructure and let you know how you can improve and avoid HIPAA Violations down the road.