5 sensible things you can do to ensure your IT is secure (and HIPAA compliant)
As a HIPAA Security & Compliance specialist, I have seen that a large number of practices are still unsure about how to address the basics of security. Regardless of your point of view about the sensibility of HIPAA, the act does require a number of information security fundamentals that make good sense for any type of business. The following are 5 things that you should be doing to protect the confidentiality, integrity and availability of sensitive data (and comply with HIPAA).
1. Encrypt your laptop / MacBook
Forgetting HIPAA for a minute, how would you feel if a laptop containing sensitive personal or patient information was lost or stolen? Encryption technology ensures that no one except an authorized user can access files or information contained on a laptop. The cost of about 2 dollars per laptop per month is well worth the benefit of ensuring that you are keeping sensitive information safe. Oh, and HIPAA says that if you lose a laptop that is encrypted and password protected you don’t even need to report the breach!
2. Check that all PCs and Macs have up-to-date antivirus software
Antivirus programs ensure that your servers, PCs and Macs can recognize a virus when they see one and stop it from compromising the device. Unfortunately, new viruses are created every day, so it is critical for anti-virus software to be up-to-date and fully functioning at all times. Windows-based laptops have long been the focus of virus attacks, however Macs also get viruses and as their popularity continues to rise so does the number of people trying to exploit unsuspecting Mac users. Make sure all PCs and Macs have up-to-date antivirus software. An antivirus solution that has a central dashboard makes the most sense for organizations with multiple users because it allows you to quickly review all laptops and confirm that the antivirus program is running. The cost is about 2 dollars per laptop per month.
3. Make sure you have a business class firewall.
A firewall is a device that sits between your network (servers, PCs, Macs, and mobile devices) and the Internet. It should act as a locked door that allows people you trust to come and go, while denying access to unauthorized users. Firewalls are readily available at Best Buy and other computer stores, but not all firewalls are appropriate for your needs. You should have a firewall designed to protect sensitive data that can log the comings and goings of users. Consider it a cyber sign-in sheet to create an audit trail of who has accessed your systems from outside your office. It is best to have a professional install the firewall so he/she can set up a monthly report that provides you or your staff with an audit trail to review.
4. Check that you have an appropriate and working backup solution.
Most organizations have backup solutions in place to ensure that a laptop or server failure doesn’t result in the loss of important information. As with firewalls, not all backup solutions are appropriate. Similar to laptops, backup solutions should encrypt data to protect against loss or theft. Choosing a backup solution that can automatically send the backups off-site is likely consistent with your disaster recovery plan. (If you don’t know if you have a disaster recovery plan, I highly recommend looking into this as well!). Just having the right backup solution in place isn’t enough. It’s important to test your backup at least twice a year (and preferably more frequently) to ensure that it is actually backing up everything you expect it to and that this information can be properly restored from the backup. Don’t wait until you need it to find out if it is working correctly!
5. Document all of the above.
This tends to be the one item that is balked at as unreasonable. The biggest reason I have seen for why documenting appears unreasonable is that an organization has chosen low-cost technologies that don’t support doing this. So while the free encryption tool or the low-cost antivirus software may have seemed like a good deal, they did not come with any of the valuable, time-saving administration features that allow them to be efficiently managed. With these low/no cost solutions, you generally have to physically go and look at each device to get the information needed. Business class tools come at a premium because they require less time to manage. As a result, they actually have a lower total cost of ownership!
Do you read all of the above and feel like you have these basics conquered? Nice work. While this is not meant to be a complete list of everything you might need to be doing, it is a very good start. Now that you have all of this in place and documented, do you have a process tied to your policy that assigns responsibility to a staff member to ensure these systems are working effectively? HIPAA requires that you have a process to regularly review your own compliance. Said differently, what minimal investment in time are you making to ensure that your technical investments are working properly? This will be the focus of my next topic: “What ongoing activities are necessary to ensure that your sensitive data remains protected (and that you remain HIPAA compliant)?”