make a good business better

Blog Information Security

Print Divider Print Divider Branding

2015 Outlook: Healthcare, HIPAA, and OCR

01/14/2015  |  By: Mark Fulford, CISSP, CISA, ABCP, HITRUST, Shareholder, Information Security


Social Logo Social Logo Social Logo Social Logo

2015 promises to be a transformational year for healthcare security – a field that is no stranger to major change in the first place. As healthcare organizations look ahead, one big question resounds in many minds: How can we be ready for what’s next? OCR Audits Will Arrive When it comes to healthcare security, one thing is certain – this year will be defined by the forthcoming audits from the Office for Civil Rights (OCR). Unfortunately, many organizations will not be prepared, even though the audits and regulatory activity have been delayed from an original target of late 2014 due to technical issues. We expect OCR to exercise new levels of scrutiny and enforcement in order to identify healthcare organizations’ particular risks. What’s more, OCR will take measures to ensure that businesses mitigate risks and respond to rising threats. The attention and enforcement actions from OCR are likely to be on an order that U.S. providers and other covered entities simply haven’t seen before, and it’s going to take many by surprise. When these organizations are found not to be in compliance with HIPAA requirements, the consequences may be serious. How should businesses prepare? There are important and straightforward steps that every organization can take. Steps for Audit (and Threat) Readiness Fortunately, many of the steps we would advise to prepare for OCR’s audits are steps that any organization should undertake as an element of a comprehensive and effective security strategy:

  • Conduct a risk assessment (or review a prior risk assessment) to verify that all data assets have been covered. In addition to traditional security targets like PCs or servers, this should include mobile devices, media, medical devices, copiers, and other devices.
  • Identify any and all business associates. Ensure that their own security is up to par.
  • Train employees on security issues to make certain that they recognize threats such as phishing or social engineering strategies and common malware vectors.
  • Utilize tools like Intrusion Detection/Prevention Systems (IDS/IPS) and security information & event management (SIEM) to monitor networks more effectively.
  • Verify that security patches are applied in a timely manner.
  • Ensure that the organization has a detailed and documented incident response plan that is integrated with breach reporting procedures.

These measures work in conjunction toward a set of common goals: identifying risks particular to the organization and identifying the scope of the security challenge by determining which data assets must be protected. From this foundation, healthcare providers and business associates can formulate an effective approach to prevent, detect, and respond to threats. Reporting More Effectively Ultimately, all parties involved in protected health information (PHI) must work together to protect sensitive data, especially as electronic records are expected to grow more and more common in 2015. Fortunately, there are tools available to help healthcare organizations ensure that they’re providing the best possible security. With Service Organization Control (SOC) reports, outside auditors can examine a business’s security controls and identify areas that need improvement. The report issued by these organizations serves as a testament to the organization’s security efforts. HITRUST certification similarly verifies that an entity has implemented security controls more stringent than those required by HIPAA, and signifies an organizational commitment to protecting patients’ data. 2015 will be a year of in-depth assessment, and we anticipate that it will be another year of damaging and costly cyber-attacks. But if healthcare providers and their business associates analyze and prepare for the risks, they can mitigate or avoid them altogether and enjoy success in the new year. Learn more to prepare your firm for the upcoming OCR audit in the new guide, OCR Audits Demystified. On LinkedIn or Twitter? Follow us on LinkedIn and on Twitter at @lbmcsecurity. Learn more about how our team at LBMC Information Security can help your team armor up with a wide range of network defense servicesContact us today!‚Äčocr audit

Posted in: Healthcare