make a good business better

Blog Information Security

Print Divider Print Divider Branding

The Year in Review: Healthcare, HIPAA, and OCR

12/17/2014  |  By: Mark Fulford, CISSP, CISA, ABCP, HITRUST, Shareholder, Information Security


Social Logo Social Logo Social Logo Social Logo

As we head into the new year, the team at LBMC Security Services is taking a moment to look back at the trends that defined 2014 – and ahead to the issues that will shape the security landscape in the year to come. In this post, we’ll take a look at the biggest currents in the world of healthcare security, including OCR audits for HIPAA compliance.

2014 in Healthcare Security

In the last year, some of the biggest news items in the healthcare security space have been the many data breaches experienced by healthcare organizations. This isn’t a new phenomenon, but in 2014 it became clearer than ever that such breaches represent a massive and ongoing challenge. You don’t have to look any further than the Office of Civil Rights’ “wall of shame” (listing breaches that impacted over 500 people) for a stark picture of the state of healthcare security today. Ever-higher numbers of records have been breached, with what seems to be an increase of foreign hackers targeting healthcare data. This is a sign that data from healthcare providers, payors, and business associates has become firmly established as high-value content for hackers. From a security standpoint, this is all the more reason to maintain a high degree of diligence and preparedness. Every organization should take steps to ensure that they have strong security in place, security that is closely aligned with the organization’s particular risks and challenges.

The Year Ahead

What lies ahead for healthcare organizations is closely tied to what has come before: namely, the Office of Civil Rights (OCR) will be using their pending audits to crack down on organizations with security that isn’t up to snuff. These audits, originally scheduled for late 2014, are likely to be even more focused on ensuring that organizations understand where their particular risks lie. Moreover, OCR will push businesses to put mitigation in place to detect and respond to threats that are growing more prevalent in the healthcare space. OCR’s regulatory and audit activity has reportedly been delayed for technical reasons, but we anticipate that when the audits begin, there will be an historically unprecedented level of scrutiny on healthcare organizations. Other than the initial pilot audit program, there hasn’t been any random audit activity from OCR so far – and so the coming wave of evaluation may take many organizations by surprise. Scrutiny from OCR is sure to intensify, along with the consequences when providers, payors, and business associates are found to be out of compliance.

Lessons for 2015

With a variety of new challenges ahead, how can healthcare organizations prepare for the new year? Ultimately, it is crucial for organizations to assess their own unique risks based on the data they collect, the technology they use, and the challenges they face. It is essential to understand where all of your data “lives” and how sensitive it is in order to make sure that all of your data assets are addressed in your risk assessments. Here is a list of the top priorities for a number of our healthcare clients for the coming year:

  1. Revisiting the risk assessment to ensure that all information assets (e.g. mobile devices, media, medical devices, copiers, etc.) are included.
  2. Cataloging all business associates and vetting the quality of their security programs.
  3. Improving vulnerability management and the timeliness of security patching.
  4. Enhancing monitoring of networks and systems with tools like Intrusion Detection/Prevention Systems (IDS/IPS) and security information & event management (SIEM).
  5. Formalizing incident response plans and procedures and integrating those plans with the organization’s breach reporting procedures.
  6. Educating users to be more savvy guardians of company data, particularly to help them recognize phishing attempts and delivery mechanisms for malware.

Today, healthcare delivery systems rely on cloud computing and service providers more than ever, so it is important that all parties have assurance that their business associates and partners are doing their part to protect PHI. For organizations that are placing proper emphasis on their security programs, there are effective reporting tools available to help tell that story to their customers and business partners. Those tools include:

  • Service Organization Control (SOC) reports
  • HITRUST certification

By allowing independent auditors to examine and report on your controls, your organization can communicate its commitment to safeguarding health information with customers and prospects. This is a powerful way to differentiate your firm in the marketplace – and it’s only going to become more powerful as data security becomes a more and more prominent issue.

Learn more to prepare your firm for the upcoming OCR audit in the new guide, OCR Audits Demystified. On LinkedIn or Twitter? Follow us on LinkedIn and on Twitter at @lbmcsecurity. Learn more about how our team at LBMC Information Security can help your team armor up with a wide range of network defense servicesContact us today!​ocr audit

Posted in: Healthcare