We hate to break it to you, but there's a HIPAA requirement you’re more than likely doing wrong. The Department of Health & Human Services’ Office for Civil Rights (OCR) is cracking down on requiring a true Healthcare Security Risk Analysis.
A HIPAA-required risk analysis includes a risk assessment of patient data, review of policies and procedures, employee interviews for a HIPAA-HITECH audit, a thorough analysis of operational threats, and more. Even more surprising is the lack of risk assessments and vulnerability audits by healthcare organizations' business associates. Remember - anyone who comes in contact with your patient data is also accountable for protecting it.
An in-depth Healthcare Security Risk Analysis isn’t a new HIPAA requirement. OCR simply wasn’t enforcing it like they are now. So, what has changed?
Crisis in Cybersecurity
In 2017, patient data for nearly 5 million people was exposed or stolen as a result of the roughly 300 reported data breaches. That’s an increase from 2016 of more than 200 breaches. That number is expected to continue to grow at an alarming rate in 2018, which is why the OCR is cracking down on enforcing the complete analysis – it’s a healthcare organization’s best shot at discovering all its vulnerabilities and making changes.
Why It’s Not Happening
Most organization have the best of intentions, but they simply don’t understand the complexity of the HIPAA requirement. They’ve had a network assessment performed or a partial analysis with the expectation that these efforts would suffice auditors and protect their data. However, in 2017 hundreds of organizations were levied millions of dollars in fines when OCR audits revealed they hadn't fully met the risk analysis requirements.
What Can You Do?
TekLinks’ security team is providing two more opportunities to learn more about the HIPAA Healthcare Security Risk Analysis:
- Where’s My PHI?: We will share how a Healthcare Security Analysis reveals all the places your patient data lives and how it is inadvertently being exposed. Sign up here to receive the blog post in your mailbox.
- Webinar: On Feb. 28, our team of security experts will host the webinar “The Healthcare Breach Epidemic: Is there a cure?” Rarely a week goes by in which we don't hear about a new breach. Join us for a look at ways to combat this epidemic. Register here.