The Healthcare industry experiences a lot more data breaches than any other industry and cyber-attacks are the major cause of these breaches. With the prevalence of cyber-attacks, these data breaches have become consistently high in terms of volume, frequency, impact, and cost.
The HIPAA compliance goes a long way in addressing this issue and protecting medical practices and others in the healthcare industry from cyber intrusions which may pose a threat to Protected Health Information (PHI). Some HIPAA requirements that can specifically assist in curbing cyber-attacks include:
- Install Anti-Malicious Software Updates and Security Patches Regularly
No. 45 Code of Federal Regulations (CFR) 164.308(a)(5)(ii) states that antivirus software and software firewalls should be installed, with regular patching and blocking occurring. Default logins and passwords should be removed from all information technology system and unnecessary services disabled, and ownership permissions should also be set. For larger organizations, network vulnerability scans on systems containing or accessing electronic PHI (ePHI) should occur and intrusion-detection software should be considered.
- Perform (and Re-perform) the Security Risk Assessment (SRA)
As stated in 45 CFR 164.308(a)(1)(ii)(A) All covered entities (CEs) and their business associates are required to conduct an accurate, thorough SRA wherein potential risks to the confidentiality, integrity, and availability to ePHI are evaluated, as set forth by HIPAA's security regulations.
- Save Security Incident Response and Reporting
The Code of Federal Regulations no. 45 CFR 164.308(a)(6)(ii) Recommend CE's to immediately disconnect Wi-Fi and unplug the affected computer from the network during a cyber-attack in order to mitigate damages caused. It is also important to document any response to any security incidents.
- Implement a Remediation Plan
According to the Code of Federal Regulations no. 45 164.308(a)(1)(ii)(B) the remediation plan should grow out of the SRA and be able to identify the highest-risk items in one's organization. It is necessary you set deadlines to complete these items and assign individuals to ensure their completion.
- Manage Passwords
45 CFR 164.308(a)(5)(ii)(D) stated that you should ensure staff members do not share passwords and also set up policies and procedures in place for creating, changing, and safeguarding passwords.
- Provide Workforce with Security Awareness Training
As stated in No. 45 Code of Federal Regulations 164.308(a)(5) Usually these cyber threats exploit the human element therefore every practice needs a training program that ensures everyone with access to ePHI is trained to efficiently reduce the risk of unauthorized access, use, and disclosure of ePHI.
- Have a Data Backup Plan
As stated in 45 CFR 164.308(a) (7)(ii)(A) it is paramount that you back up all information technology systems with sufficient redundancies. Backups should be kept off premises (or be cloud-based) and take note of the critical data needed to be restored quickly to remain operational.