Security should be a high priority for any business sharing information across the internet (or any other digital network). For those who operate under HIPAA, it’s not just something you should do; it’s something you have to do by law.
Recently, we discussed what part of HIPAA covers digital and online assets. Today, we’re going to focus on some of the basic features HIPAA requires. This is by no means a full breakdown, as that would very long, confusing, and attention shattering.
Instead, we’ll discuss on some of the broader areas you’ll want to make sure are covered by your hosting provider and IT team.
The goal is here is to handle PHI (protected health information) appropriately by ensuring three things:
- PHI can only be viewed, edited, and shared by authorized people.
- An individual must be able to access their PHI whenever they choose to.
- PHI must be safeguarded against data loss.
To do so, you’ll need the following…
Data Encryption
Data encryption is the first level of defense for your PHI. This ensures that data can only be accessed through the proper points of access (such as login portals). Should a person or program go around your server controls to break into your system, any data obtained will be undecipherable.
Access Logs
It’s important to know who accesses what data and when they access it. Also, any changes, edits, or additions must be logged. These logs will help prove that compliance has been maintained. Should problems arise, they’ll also help determine the source and what’s been affected.
Typically, access logs should go back as far as six years.
Automated Backup Systems
It’s not just data breaches that you need to protect against. The loss of data can be just as damaging. HIPAA systems are required to make regular, complete backups that are fully encrypted. That way, should your system be breached or destroyed, a backup can be put in place to maintain compliance.
Backup Power
In order to keep information accessible, the power needs to keep running to your servers and systems at all times. Backup power is required to prevent against potential outages and ensure that PHI can always be accessed.
System Updates
Outdated software or hardware systems can be a common cause for both technological issues and breaches in security. Any server, network, OS, or device that’s involved in the handling of PHI must stay up to date.
Depending on the complexity of your network, this can be quite an undertaking.
Password Compliance
Weak passwords are very dangerous for any system. In fact, they’re the most common causes for data breaches. In the case of HIPAA, weak passwords aren’t just a liability; they can violate policy. Organizations operating under HIPAA must have systems implemented for “creating, changing, and safeguarding passwords”.
The specifics of how you go about doing this can vary. What matters most is that you have an established system that everyone follows.
Still, using complex passwords and changing them frequently aren’t always enough. Even when strong passwords are used and regularly changed, you can still be vulnerable to brute force attacks (programs that randomly generate characters until the right password is entered).
To truly protect yourself, you need additional security measures in place that signal warnings and lock-out hackers before they can break your password.
When It Comes to HIPAA, You Can’t Plead Ignorance
Whether you understand all the specifics of HIPAA requirements or not makes little difference. You’ll be penalized all the same. Failure to comply with HIPAA rules will put you under the enforcement of the Office for Civil Rights of the Department of Health and Human Services (or OCR).
An individual HIPAA fine can be as much as $50,000. An organization can be fined as much as $1,500,000 per violation category in a single year. On top of that, you may face civil lawsuits from people affected by any breaches or data losses.
This is enough to crush many large companies let alone the small ones. The best protection against this happening is by leveraging the assets, knowledge, and experience of a company like DataYard.
At DataYard, we provide dedicated cloud hosting, cybersecurity services, and colocation services that can meet the strictest areas of HIPAA compliance. We house are cloud servers in Dayton, Ohio where they are protected against outages, breaches, and data loss.
Additionally, our IT expertise enables us to consult, advise, and directly assist you in maintain HIPAA compliance across the rest of your systems.
Contact us today and make sure you maintain compliancy.
