Cybersecurity

HIPAA Cybersecurity Compliance
Best Practices, Cybersecurity, HIPAA

Navigating the Complex World of HIPAA Cybersecurity Compliance

September 27, 2023 Comments Off on Navigating the Complex World of HIPAA Cybersecurity Compliance

September 27, 2023 Healthcare organizations handle a tremendous amount of sensitive data, from patient records to financial information. The Health Insurance Portability and Accountability Act (HIPAA) serves as the regulatory framework that outlines the need for stringent cybersecurity protocols to safeguard this data. Compliance with HIPAA isn’t just a legal obligation; it’s also a critical aspect of building trust with patients and stakeholders. This article will dive deep into the facets of HIPAA cybersecurity compliance, offering a comprehensive guide for healthcare organizations seeking to align with these standards. What is HIPAA? Enacted in 1996, the Health Insurance Portability and Accountability Act (HIPAA) aims to streamline healthcare transactions, reduce healthcare fraud and abuse, and ensure patient information remains confidential. Over time, HIPAA has evolved to address the modern complexities of digital healthcare data, most notably through the Privacy and Security Rules. HIPAA Security Rule The Security Rule outlines the guidelines that healthcare organizations must follow to ensure the confidentiality, integrity, and availability of electronic protected health information (ePHI). It is broken down into three main categories: Importance of Cybersecurity in HIPAA Compliance Cybersecurity in healthcare is not just about preventing unauthorized access; it’s about building a layered defense mechanism that addresses vulnerabilities across various entry points. Failing to comply can result in hefty fines, legal repercussions, and loss of reputation. Core Principles for Compliance Risk Analysis and Management HIPAA requires healthcare entities to conduct periodic risk analyses to identify potential vulnerabilities. Effective risk management plans should include a multi-layered security approach, such as the use of firewalls, antivirus programs, and encryption protocols. Abyde: Your HIPAA Compliance Partner Navigating the intricacies of HIPAA compliance can be daunting. That’s where Abyde comes in. As a leading HIPAA and OSHA Compliance SAAS Company, Abyde offers HIPAA-compliant software designed to simplify compliance, enabling healthcare organizations to focus on what they do best—providing quality care. With features like automated risk assessments, staff training modules, and continuous compliance monitoring, Abyde is the go-to solution for any organization seeking to secure its electronic healthcare data while adhering to regulatory standards. Employee Training Employees often serve as the first line of defense against cyberattacks. Organizations should provide regular training on recognizing phishing emails, using strong passwords, and securing mobile devices with ePHI access. Access Control Under HIPAA guidelines, only authorized individuals should have access to ePHI. This requires stringent access controls, including unique user identifications, emergency access procedures, and regular audits. Data Encryption Encrypting data in transit and at rest is crucial for protecting sensitive information. While HIPAA does not mandate encryption, it is considered a standard practice in safeguarding ePHI. Incident Response In case of a data breach or unauthorized access, healthcare organizations must have an incident response plan that outlines the steps for reporting the breach, identifying the scope, and taking corrective actions. Tools and Technologies Compliance Monitoring and Audits Maintaining continuous compliance requires ongoing monitoring. Regular internal and external audits can help identify areas of improvement and validate that existing safeguards are adequate. Conclusion HIPAA cybersecurity compliance is a complex but indispensable aspect of healthcare management. By understanding the intricacies of the HIPAA Security Rule and implementing a robust cybersecurity framework, healthcare organizations can protect sensitive data, avoid penalties, and, most importantly, earn the trust of their patients and stakeholders. Given the evolving nature of cybersecurity threats, compliance is not a one-time endeavor but an ongoing commitment. Organizations should always stay updated with the latest HIPAA amendments and cybersecurity best practices to ensure that they remain compliant and secure. Recommended Resources By keeping up-to-date with compliance requirements and embracing a culture of continuous improvement, healthcare organizations can confidently navigate the complicated landscape of HIPAA cybersecurity compliance. Contact Abyde today for a complimentary risk assessment consultation by clicking HERE.

No Practice Too Big
Cybersecurity, Fines, HIPAA

No Practice Too Big

May 11, 2023 Comments Off on No Practice Too Big

May 11, 2023 Small organizations are prime targets for cyberattacks because they are typically less likely to have robust cybersecurity systems if any at all. Yet Aspen Dental, with over 1,000 offices across the United States, recently fell victim to a cyberattack that disrupted its ability to access scheduling systems, phone systems, and other essential business applications. No organization of any size or industry is immune to cyberattacks. The Aspen Group has not confirmed whether or not patient information was compromised, and is still actively investigating the incident’s scope. The breach was first discovered on April 25 and if it turns out that sensitive, personal information was involved in the incident, Aspen Dental will notify the affected individuals in accordance with applicable laws. The healthcare industry is number one on the list of targets for cybercriminals due to the nature of the industry having massive amounts of sensitive personal data for patients ranging from medical records to credit card numbers to home addresses. Dr. Jay Wolfson, USF Associate Dean for Health Policy and Practice said, “Healthcare is the richest source of data for poor people looking to commit fraud and get data on people.” According to a report from healthcaredive.com, 385 million patient records have been exposed as a result of healthcare breaches from 2010 to 2022, emphasizing the critical need for comprehensive security measures like those provided by Abyde’s compliance solutions software. The insurmountable cost of a breach followed by investigations and legalities concerning HIPAA can be detrimental not only financially but also to the reputation of a healthcare entity.  In light of Aspen Dental’s breach, it is evident that using a Compliance-as-a-Software like Abyde’s would have significantly reduced the risk of a cyber event. Abyde’s software offers a comprehensive solution to help healthcare organizations maintain compliance, safeguard sensitive patient information, and ensure the safety of business operations. Investing in such preventative measures allows healthcare organizations to protect themselves from devastating cybersecurity incidents and the endless headache that is sure to follow. This incident goes on to prove that there is no practice too big for compliance.

ChatGPT and HIPAA
Best Practices, Cybersecurity, HIPAA

ChatGPT & HIPAA: A Quick Guide on What You Need to Know

April 26, 2023 Comments Off on ChatGPT & HIPAA: A Quick Guide on What You Need to Know

April 26, 2023 If you haven’t heard about ChatGPT over the last few months, you might still be Googling everything!  ChatGPT launched in November 2022 and has taken the internet by storm.  Developed by OpenAI, using artificial intelligence (AI) technology, it can have human-like conversations while giving you all the details of whatever you may ask it. So we haven’t seen it be able to make you dinner just yet. Still, it has successfully written computer programming, passed a series of different exams, and written entire feature-length articles. (Wow, I feel like a doting parent!) AI language models are transforming how we approach everyday tasks or complete major projects, and the healthcare industry has even jumped on board the ChatGPT train.  ChatGPT has assisted in scheduling appointments, treatment plan assistance, patient education, medical coding, and more!  While this all sounds exciting and has the opportunity to improve patient care, protecting your patient’s data when using these types of tools will be imperative and should be approached with caution.  So what are some of the red flags to be aware of when it comes to HIPAA compliance: • At this time, OpenAI does not sign a Business Associate Agreement. Therefore, it is not HIPAA compliant. HIPAA regulations require that covered entities only share PHI with vendors who have signed a BAA. This ensures that PHI is protected and that all parties comply with HIPAA laws and regulations. Prior to implementing any AI technology that processes or accesses PHI, covered entities must enter into a business associate agreement with the vendor of such technology.  • Protect PHI when using the chat platform. OpenAI warns against inputting confidential information into the platform. As with many technology platforms, ChatGPT collects information and reviews conversations to improve systems and services. In other words, there is no telling where that data is being stored and, therefore, cannot be protected. Because this platform is not HIPAA compliant, it’s super important to remember not to input any identifiable patient information. When working with PHI, de-identifying or anonymizing data is key to minimizing the risk of a data breach. • Establish access controls and monitor chat logs. To minimize risk, access to chat logs should be restricted to those who need it as part of their job function. Don’t forget to implement written documentation of which employees can access chat logs, and be sure to revoke access if necessary. These chat logs are highly recommended to be monitored and audited to ensure they do not contain any PHI. • Establish Policies and Procedures and train employees. When implementing a new technology, such as ChatGPT, that potentially accesses PHI, policies, and procedures must be implemented to ensure that all appropriate safeguards are in place to support the use of the new technology. Training employees on properly using new technology is also super important. Training should include security best practices, data privacy importance, and incident reporting steps if necessary. • Create and implement an incident response policy. As with any security risk, having an incident response policy is super important to help mitigate risk in the case of a breach. This plan should include procedures for identifying and mitigating the incident, notifying affected individuals, and investigating the cause of the incident to prevent future incidents.  By proactively prioritizing patient privacy and security, healthcare organizations can greatly benefit from ChatGPT and other AI language models. Streamlining administrative work and improving patient outcomes, sounds like a win-win. But, it’s critical that you carefully balance increased efficiency and elevated risks related to patient data privacy. This is new for everyone, so not making drastic changes to your business because of something ChatGPT can do should be considered. Your patients still want human experiences, and that is something ChatGPT can’t take away from you and your staff!How can you stay up to date on the latest compliance trends and news? Contact our compliance experts at Abyde today for guidance on this everchanging technical landscape and see how we can help you be successful in the years ahead!  To book a demo with one of our Abyde specialists, click here or call us at (800) 594-0883

Arizona Cybersecurity HIPAA Fine
Cybersecurity, Fines, HIPAA

Big Fish, Big Fine

February 3, 2023 Comments Off on Big Fish, Big Fine

February 3, 2023 A hacker dropped a line and an Arizona-based nonprofit health system got baited, hook line and sinker. Yesterday, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights announced a settlement resolving a data breach. The breach, executed by a “threat actor”, disclosed the protected health information of 2.1 million consumers. Ouch!  Outlined by the HHS, the HIPAA violations include: The investigation began back in 2016 after OCR received a receipt of a breach report. The hacker was able to access PHI such as patient names, physician names, dates of birth, addresses, Social Security numbers, clinical details, dates of service, claims information, lab results, medication, diagnoses and conditions, and health insurance information.  As part of the settlement, the hospital paid $1,250,000 to OCR and agreed to a Corrective Action Plan. The plan highlights efforts to resolve their violations against the HIPAA Security Rule.  Before you catch yourself becoming a victim of “here fishy fishy”, make sure all your ducks – or should we say fish – are in a row. As we continue to see the relevance and impact of cybersecurity incidents increase, you should be more alert and secure than ever. And if you’re thinking, well that was a hospital – that could never happen to me, be careful what your next Go Fish card is. Whether you’re a big fish in a little pond or a little fish in a big pond, hackers are targeting healthcare. This particular hospital is facing extensive hours of work to complete its Corrective Action Plan which includes conducting a risk analysis, developing a risk management plan, implementing and distributing policies and procedures, and regular follow-up with the HHS. Conveniently, these are all things Abyde can help with. Reach out today to find out how we can save you over 80 hours a year and a time-consuming Corrective Action Plan down the road.

Easy way to understand ePHI
Cybersecurity, HIPAA

Toothpaste, Baseball, and ePHI

December 2, 2022 Comments Off on Toothpaste, Baseball, and ePHI

December 2, 2022 Covered entities and business associates, like healthcare providers, that use online tracking technology should be aware of their ePHI management to HIPAA standards  OCR Recently Released a Bulletin Outlining the Proper Use of Tracking Tech in Accordance with HIPAA Compliance Have you ever talked about being out of toothpaste at work, and then when you get home there’s an ad for Colgate on your tablet as you decide what to order for dinner? It’s creepy, but it’s efficient. You’ve been targeted and the Colgate marketing department is doing its job. In this example, the transmission of your tracked demographics and shopping habits is not as sensitive as the transmission of your patient’s data.  Yesterday, the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services issued a bulletin regarding the correlation between sharing electronic protected health information (ePHI) and online tracking technology. While we aren’t experts in targeted advertising, we are HIPAA experts. There are rules that apply to regulated entities, like you, when collecting information through tracking technologies or disclosing ePHI to vendors you may be working with. The OCR put it plainly, “Regulated entities are not permitted to use tracking technologies in a manner that would result in impermissible disclosures of ePHI to tracking technology vendors or any other violations of the HIPAA rules.”  Do you know if your PHI is being captured through online tracking? Are you monitoring what patient data is being shared with third-party vendors? Even more important, do you use Google Analytics or Meta Pixel – if so, you might want to listen up. Whether you set this tracking up yourself or a third-party agency did, without permissible disclosures from your patients, if their ePHI is shared through the tracking technology, you are putting your practice and patients at risk.  Let’s head around the bases to make sure you’re covering your bases.  Nice base hit – you made it to first. The first thing you can do is ensure you have Business Associate Agreements (BAA) in place with all third-party vendors, especially those who create, maintain, or receive ePHI. While you’re cross-checking if your vendors meet the definition of a business associate, make sure your agreements denote the permitted use case for ePHI.  And the crowd goes wild – way to steal second. Before you think well I’ll just ask the vendor to delete any protected data before they use or save it, that’s not going to cut it. Per the OCR, “Any disclosure of PHI to the vendor without individuals’ authorizations…requires that there is an applicable Privacy Rule permission for disclosure.” Through the Privacy Rule, patients are empowered to have more control over their health information to access and make any changes as needed and boundaries are set on the use and release of health records, including the minimum necessary standard for information disclosures.  A bunt from your teammate gets you over to third – nice work! Before we round out to home, ask yourself if the risk is worth the reward. And if you’re still unsure, check in with your Security Risk Analysis and scorecard – another benefit to Abyde’s ongoing compliance. We work with you to identify the potential risk and exposure associated.  As we make our way to home base, we will summarize with this: if ePHI is involved in any of the data the tracking technology is sharing, HIPAA rules need to be followed. Here are the final words from the OCR, “all disclosures of PHI to tracking technology vendors are specifically permitted by the Privacy Rule and that, unless an exception applies, only the minimum necessary PHI to achieve the intended purpose is disclosed.”

HIPAA Internal Communication Dos and Don’ts
Best Practices, Cybersecurity, HIPAA

Internal Communication Dos and Don’ts

October 6, 2022 Comments Off on Internal Communication Dos and Don’ts

October 6, 2022 Have you ever accidentally sent a text to the wrong person? Most of us have and it likely made your heart skip a beat! Now, imagine sending a text and thousands of patients’ health information gets leaked. Talk about a gut-wrenching moment! Speaking of leaks, did you know that over 1.14 million people have been impacted by a protected health information (PHI) breach just last month alone? The leaked data includes names, social security numbers, phone numbers, email addresses, and more. That’s 7% higher than last September!  Internal communications are an efficient means of sharing and exchanging information within the practice. Employees communicate internally through channels like SMS, email, phone calls, and other means through the use of a third-party platform like Slack, Microsoft Teams, Zoom, and Cisco Webex. And while oftentimes we like the thought of quick and easy, it’s crucial to take that extra minute or two and double check that you are using a secure provider for all internal communication.  First things first, if you haven’t already done so, take this as your sign to reach out to your communications provider and ask if they are HIPAA compliant. Many times, companies will have this information available on their website as well. Keep in mind that some providers, like Google and Microsoft, offer HIPAA compliant services in an upgraded package. If you are not using a secure platform, or you are unsure, then you should not be discussing ANY patient information through that method of communication (yes, that includes names!). If you are using a secure, HIPAA compliant provider or application for internal communication, great! The next very important step is to double check that you have a signed Business Associate Agreement.  You may also be wondering about SMS/ text messaging within your organization. Staff members should not be texting each other with information related to patients, even if it is related to scheduling. Keep all work-related communication through your secure provider or application.  Quick reminder! Just because you are communicating internally through a secure provider does not in fact mean you are compliant. You’ll also need to implement security policies and procedures in order to follow best practices. These policies and procedures should include:  It is highly recommended that you consult with your IT professional for best practices on securing all applications in your practice.  Lastly, It’s important to remember that HIPAA is not a barrier law and, in fact, is intended to help you share protected health information securely and efficiently. Being efficient within your practice can help the overall health of your patients and your organization. Having these best practices in place will help you and your team avoid the anxiety of sharing something that shouldn’t be shared.

NIST Updated HIPAA Guidance
Cybersecurity, HIPAA

The National Institute of Standards and Technology (NIST) Updates Guidance on HIPAA Compliance Rules

January 29, 2022 Comments Off on The National Institute of Standards and Technology (NIST) Updates Guidance on HIPAA Compliance Rules

July 29, 2022 You know that exciting feeling when apps have an update that adds awesome new features?! It’s like Christmas morning over here for us at Abyde. The National Institute of Standards and Technology (NIST) just updated its guidelines and added an awesome new feature! After six years, NIST made a significant update by providing guidance to HIPAA-covered entities to follow the HIPAA Security Rule in order to better safeguard patients’ personal and protected health information. Read below to find out what changes were made to the guidelines.  The revised guidance connected HIPAA Security Rule items to NIST Cybersecurity Framework subcategories. The advice remains mostly unchanged, with a few minor structural changes and a renewed emphasis on risk assessments and risk management. NIST Cybersecurity Specialist, Jeff Marron states, “We provide a resource that can assist you with implementing the Security Rule in your own organization, which may have particular needs. Our goal is to offer guidance and resources you can use in one readable publication.” NIST recommended the following guidelines for practices: NIST Cybersecurity Specialist, Jeff Marron also stated, “The identification of vulnerabilities or conditions that a threat could use to cause impact is an important component of risk assessment. While it is necessary to review threats and vulnerabilities as unique elements, they are often considered at the same time,”. It is important to note that HIPAA and cybersecurity operate best as a team, and a practice with both will operate smoothly. We all understand the need of HIPAA compliance, but practices must also understand the importance of cybersecurity. The more funding and resources allocated to IT security employees, the better off the firm will be when cyber dangers eventually arise. Satisfying HIPAA and cybersecurity regulations is critical to safeguarding your practice and patients from a data breach or HIPAA violation. While these are undoubtedly items that should be emphasized regardless of the government’s spending intentions, the suggestions by the government and NIST add a sense of urgency to ensuring that these vital protections are in place. With the increasing frequency of cyberattacks going on nowadays, ensuring HIPAA compliance is more important than ever.  We were chatting with our Partner, Darkhorse Tech, and they talked about how HIPAA compliance services provide a framework for security (essential for any dental business), but they do not provide a proactive response to cyber threats. Instead, they provide preventative methods to safeguard your data and keep you in compliance. So in order to have everything covered your practice needs to adopt an additional layer of security, you should no longer rely exclusively on low-quality anti-virus software to defend you. By enlisting the help of specialists who are actively working to prevent an attack before it occurs, reacting to any threats in real-time, and staying up to speed on the current and impending dangers, you can shift your security measures from preventative and reactive to proactive. Darkhorse Tech CMO, Brian Ash, states, “The latest updates to HIPAA make compliance, reporting, and cyber security even more vital for our clients.  While we have been recommending the addition of Abyde for HIPAA compliance for some time, the new guidelines make now the time to commit.  Along with Abyde’s software we are making the addition of a Security Operations Center (SOC) our top priority.  We vetted many options but are recommending Blackpoint Cyber as our SOC of choice.” As we can see, the NIST provided a great update to their Quizlet so that your practice can maintain a good grade in compliance school. So, I think it is time to take a step back and review that NIST guidance so that your practice can always pass the exam! So ensuring that you’re adequately securing this data begins with a thorough knowledge of what needs to be secured and that’s why we have the ideal study partner for you (Abyde) to assist you with all of your compliance needs!

Controlling Access to Your ePHI
Cybersecurity, HIPAA

How Are You Controlling Access to Your ePHI?

July 22, 2021 Comments Off on How Are You Controlling Access to Your ePHI?

July 22, 2021 While there might not be such a thing as a real-life fairy godmother, technology has granted us the power to access a whole world of information with just a click of a mouse. Anything from research, shopping, to chatting with friends is now so simple it almost seems like magic, but this “instant-access” ability is a double-edged sword when it comes to the privacy and security risks that follow in its reign. Now if there’s one industry that truly feels the weight of technologies twofold, it’s healthcare. While sharing, receiving, and storing electronic protected health information (ePHI) is now easier than it ever was before, the heightened number of healthcare data breaches and cyber attacks seen over recent years have identified the ‘Achilles’ heel’ of technology’s power of accessibility. This ongoing battle between ease of access and security risks has been the topic of several Office for Civil Rights (OCR) alerts shared over the past year, and most recently, the main focus of their Summer 2021 Cybersecurity Newsletter.  The newsletter titled “Controlling Access to ePHI: For Whose Eyes Only?” highlights a recent report that found that “61% of analyzed data breaches in the healthcare sector were perpetrated by external threat actors.” So while most healthcare organizations know not to go and give the keys of the castle away to just anyone, technology has made access a possibility for really anyone who has a decent internet connection. But the even more striking statistic featured in the newsletter? It’s not just hackers that you have to worry about, the security incident report also uncovered that 39% of those data breaches were actually committed by insiders. Though most fairy-tales feature an evil villain, these insider breaches aren’t always the result of a malicious act. In addition to the multi-million dollar hacking schemes that we see all too often, are stories of staff impermissibly accessing ePHI or leaving sensitive data unattended. So if you’re wondering how you can best protect your practice, the answer is to have the proper authorization policies, procedures, and controls in place.    When it comes to those necessary policies and controls, the HIPAA Security Rule identifies certain standards and specifications that healthcare organizations are required to implement. The two standards, Information Access Management and Access Control, are administrative and technical safeguards that work in tandem to protect and secure ePHI – but what exactly do they entail? Information Access Management This standard essentially defines how access to ePHI is authorized and requires HIPAA-covered entities and business associates to implement policies and procedures regarding information access. So, what do some of these specific policies include? Access Control In addition to the administrative requirement for access management, Access Control is a technical safeguard that actually limits the availability of that ePHI based on the organizations’ Information Access Management policy. The OCR’s newsletter describes the necessary controls to coincide with the “flexible, scalable, and technology-neutral nature of the Security Rule” and provides a wide range of control mechanisms for organizations to consider and implement where they see fit. They also provide four implementation specifications which include: So as complementary requirements of the HIPAA Security Rule, your organization is expected to have these standards in place to best prevent both outsider and insider threats. And while it would be nice if you could just have a knight in shining armor there to guard your practice from cyber threats and impermissible ePHI access – implementing the safeguards provided above, and ensuring all staff members are trained on proper access, is the next best thing.

Latest OCR Cybersecurity Updates
Cybersecurity

Latest OCR Cybersecurity Updates

July 1, 2021 Comments Off on Latest OCR Cybersecurity Updates

July 1, 2021 With Cyber Security Awareness Month right around the corner, the multiple cyber alerts issued by the Office for Civil Rights (OCR) in the month of June serve as a perfect preamble for the importance of prioritizing data protection all year round. These government-issued Cyber Alerts have become all too familiar in the healthcare industry, with the past year seemingly filled with emergency directives and scam tactics to be aware of. So with healthcare data breaches on the rise and the most recent warnings of a heightened risk of ransomware and IT system vulnerabilities – ensuring your organization has the necessary programs in place is essential to avoid falling victim. What did the most recent Cyber Alerts cover?  In early June, the White House and Cybersecurity and Infrastructure Agency (CISA) released a memo titled “What We Urge You to Do to Protect Against the Threat of Ransomware.” This alert urged healthcare organizations to take appropriate action in protecting against ransomware threats and covered several best practices that providers can take to enhance cybersecurity including: While keeping up with the above steps should be done on a regular basis, the more recent OCR notice covers additional vulnerabilities organizations should be aware of. According to the memo shared on June 25, 2021 – Eclypsium Security Researchers have discovered a vulnerability in the Dell BIOSConnect feature available on over 180 models of consumer and business devices. Dell urges all customers to ensure that their devices are updated to the latest version and provided a full list of impacted devices and steps to address the vulnerability that can be found here.  Additionally, this memo also included an advisory from CISA due to the multiple vulnerabilities found in the ZOLL Defibrillator Dashboard. The agency warns that these vulnerabilities may allow a remote user to take control of an affected system and emphasizes that all organizations should review the ICS Medical Advisory and apply the recommended mitigations.  So now what?  Well, for any healthcare organization of any size – data breaches and cyberattacks are becoming more and more of a concern. Implementing the necessary technical safeguards,  following guidance on ransomware prevention, and keeping all devices and IT systems up to date with the latest version is key to steering clear of heightened vulnerabilities like the ones outlined in recent government memos. Unfortunately, as technology and threat actor tactics continue to evolve, these new and increasing threats don’t seem to be going away anytime soon. So keeping your practice and your patients’ data protected in the long run starts with having both a security AND compliance program in place now.

HIPAA Compliance and Security
Cybersecurity, HIPAA

Compliance and Security: A Match Made in HIPAA Heaven

December 29, 2020 Comments Off on Compliance and Security: A Match Made in HIPAA Heaven

December 29, 2020 Peanut butter and jelly, macaroni and cheese, rock and roll – there’s really no mistaking that some things are just better in pairs. While these might be the obvious examples to tag along with the old 80’s hit “It Takes Two to Make a Thing Go Right”  there’s another dynamic duo that plays an important role in your practices’ daily operations: Compliance and Security.  Compliance and security go hand-in-hand, making the perfect team when it comes to protecting patient data. But falling into the trap of thinking that achieving one means meeting the other can mean double trouble for your practice – so it’s important to understand the differences between the two and how to ensure you’re checking both off your list.  What is compliance? Compliance is kind of like the bread and butter of your practice. It essentially focuses on the regulatory requirements involved in the protection of sensitive patient data – meaning that you not only have a secure technical environment but also have the know-how and documentation to prove it. Compliance is a comprehensive set of standards that practices must meet to avoid fines but should be viewed as more of a baseline when it comes to security, not the end all be all. Complying with HIPAA means meeting various requirements outlined in the HIPAA Security and Privacy Rule – but there’s more to the story when it comes to ensuring that patient data is fully protected.  What is security?  Security is the whole system of policies, processes, and technical controls specific to your practice. The goal of security is to ensure the best possible protection of the confidentiality, integrity, and availability of patient data – which in the age of technology means constantly updating to mitigate the risk of ever-changing threats. When we think of security we often think of locks on practice doors and passwords on computers but those safeguards only brush the surface of true security.  Having the proper technical safeguards in place, and staying up to date on any new threats, such as the recent threat to Microsoft Exchange vulnerabilities knowing how to properly mitigate a potential threat, and staying educated are just some ways to meet your practice’s security needs.   So, what’s the difference?  While both are crucial in protecting patient data, security and compliance are not one and the same. The key distinction between the two is that compliance requirements are a bit more predictable whereas security standards are rapidly evolving with current risks and threats. This, unfortunately, means that even if you check off each of the compliance requirement boxes doesn’t exactly mean that your practice is 100% secure –  which is why you are still at risk for a cyberattack even if you have a complete HIPAA compliance program in place.  Why you need both!  Just like Batman and Robin, when you put the two forces together – they’re pretty unstoppable. And with cyberattackers playing the role of the modern-day villain, establishing strong compliance AND security programs are the best, and perhaps the only way to ensure you’re taking every measure to protect patient data. 

Are you prepared for OSHA's Workplace Violence Prevention requirements? Learn what you need to do to be compliant.

DOWNLOAD CHECKLIST
X