Here are 7 factors potentially affecting your HIPAA Risk Assessment:
International criminal organizations attacking IT systems
This summer, the healthcare system was the target of hackers operating worldwide. In the Community Health Systems security breach, 4.5 million patient records and 206 hospitals were put at risk. This incident spotlighted the vulnerability of hospitals to attack from sophisticated criminal elements.
The seemingly unlimited resources of the criminal organizations to penetrate safeguards, requires constant monitoring and agility by security personnel. Contingency plans for responding and communicating to breaches need to be part of the security regimen.
The costs of repair for this recent breach are estimated at $75 million. Proactively establishing a protocol to defend against attacks can avoid the expense of HHS fines, lawsuits and identity theft protection for affected patients.
Staying current to meet Meaningful Use regulations
When your organization accepts Meaningful Use payments, it must show meaningful use of its EHR technology ranging from recording patient information to exchanging summary care records. The auditor will request most recent documentation for attestation. Funding for Meaningful Use is tied to the HIPAA risk assessment. You must provide evidence of progress or chance returning the Meaningful Use funds you have received.
To receive an EHR incentive payment, providers have to show that they are “meaningfully using” their certified EHR technology by meeting certain measurement thresholds that range from recording patient information as structured data to exchanging summary care records. CMS has established these thresholds for eligible professionals, eligible hospitals, and critical access hospitals (CAHs).
Storing data in the Cloud
Incorporating cloud storage for your data creates additional risk. The data in the cloud relies on the integrity of the supplier’s system. Hackers have been able to penetrate cloud systems putting patient data in peril, regardless of the encryption and firewalls your organization has in place
Ubiquitous use of mobile devices
In this era of bring your own device, the possibility of an employee breach has expanded. Mobile apps allow access to private information such as electronic health records. Now staff involved in home health care and outside clinics routinely use mobile devices to access the health care network.
In response to this risk, organizations are incorporating remote device wiping that allows staff to access information without downloading personal health records to their device.
Dealings with business associates
Beginning September of this year, The HIPAA Privacy, Security, Enforcement and Breach Notification Rules call for covered organizations to upgrade all business associate agreements to comply with the modified rules in effect in 2013.
These rules classified more vendors as business associates, and under these rules, business associates are liable for breaches. This change has complicated vendor arrangements and made some vendors reluctant to sign off on their contracts.
Responding effectively to both federal and state statutes
Changes in state laws must be considered when implementing HIPAA regulations. Negotiating these changes (such as behavioral health record keeping requirements) while maintaining federal compliance adds a level of complexity.
Successfully addressing the potential for serious breaches
As the number of breaches soars, healthcare organizations need to design robust defenses against intrusion. Hospitals are being challenged to keep on top of, and effectively handle a wide range of vulnerability. Personnel responsible for security and privacy are requested to do more and their efforts are being closely scrutinized.
Risk Analysis requires monitoring and timely documentation of changes affecting the security protocol. Contact us for more information.