HIPAA is a huge regulation, but it doesn’t have to be scary. The HIPAA Security Rule is only 9 pages long and it is in plain English. The goal of HIPAA is to reduce risk to protected health information (PHI). We do this by getting a risk baseline, developing a game plan for remediation or improvement, and acting on those things to reduce gaps in your security posture.
The Security Rule says that covered entities and business associates must “conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information.”
Cyberstone can help healthcare organizations meet this requirement by performing both risk and vulnerability assessments.
The Security Rule also requires rock-solid written information security policies (also called plans). Some of the required policies are (1) sanction policy, (2) incident response plan, (3) data backup plan, and (4) data backup plan. Organizations not only have to have these policies in place, but they should be updated any time there’s a significant change to the organization chart or the technology within the environment. For example, if there is a restructuring of departments, a merger, an acquisition, a move to the cloud, or the implementation of a new ERP system, policies should be updated to reflect the new environment.
HIPAA-regulated organizations are also required to train all staff, including management, on security best practices. We offer a completely online training platform that addresses this HIPAA need but also takes it a step further. We ensure employees are trained, but we also test them with periodic email phishing to see how effective the training is and if there are opportunities for retraining specific employees.
Even if a company is already HIPAA compliant, the cybersecurity needs are recurring in nature. Compliance today doesn’t mean compliance tomorrow or next year. It’s an ongoing process and Cyberstone is here to guide organizations through it.
