October 21, 2018
Train, train and retrain is at the top of PrivaPlan’s list of practical solutions for being HIPAA compliant. “Once a year training is never enough,” PrivaPlan President David Ginsberg told attendees of the Colorado Rural Health Center’s (CRHC) annual conference in Colorado Springs.
Ginsberg, who also serves as CRHC Senior Advisor for Health Information Technology, addressed rural hospital and clinic administrators, primary care providers, and quality and technical staff. He led the closing General session on Friday, presenting on “All Things New Meaningful Use: Stage III.”
He also led a breakout session called: “Stay Secure! HIPAA Updates, Phishing, Data, and More” where he was joined by PrivaPlan team member Ron Bebus, and that’s the session we’ll cover in this post.
HIPAA settlements and fines continue
Ginsberg emphasized that HIPAA settlements continue as entities fail to stay compliant, often by not understanding what is required of them. He gave an example of three healthcare organizations who paid hefty settlements to the OCR after a major TV network filmed some of their patients. Their error had been not obtaining HIPAA authorizations, which were required since the video was used for marketing purposes. This oversight not only had financial repercussions for each, but their reputations were also damaged.
Recent phishing escalation
While the biggest risk in phishing attacks remains disgruntled employees, another risk factor involves employees who are multitasking and click on bad links because they’re too busy to be on the alert for scams. This is where regular phishing tests can come in handy to safely catch distracted employees and retrain them to pay attention to what’s hitting their inboxes.
However, phishing attacks are only part of the problem. “While email remains the most common vector, every day thousands of simple penetration attacks occur against your networks,” Ginsberg said.
“Make sure you are asking the right questions every time,” Ron Bebus said explaining that simply monitoring what threats may be hitting your systems everyday is not enough if you are not also making sure your nodes are up to date. It’s also not enough to perform scans on just the majority of your devices; it’s either a 100-percent effort or you risk exposing your data. “You can’t leave any door opened for threats to get in,” he said.
No room for mistakes
“We are constantly surprised at how many innocent mistakes get made that expose networks,” Ginsberg said. “Mistakes and human errors can create an open port or visible website that can be exploited, even years later.”
He provided a list of Practical Solutions for staying HIPAA compliant:
- Train, train and re-train
- Ongoing phishing testing
- Improved firewalls and implementing true intrusion detection and prevention
- Auditing-tools such as Protenus and Netwrix
- Network segmentation
- Endpoint scanning
- Know what you have!!!! This is the most common deficiency we see
- Inventory hardware, software and PHI
- Adopt the new practice of data classification
It does take diligence to stay ahead of those who are working tirelessly to infiltrate and corrupt your data, but there is help available to you. Start by watching our PrivaPlan webinars. To learn more about these and all the ways we can help, contact our HIPAA experts at 1-877-218-7707or firstname.lastname@example.org.