inadequate security policies each covered entity and business associate must have written polices...
TRANSCRIPT
INADEQUATE SECURITY POLICIES› Each covered entity and business associate
must have written polices that cover all the Required and Addressable HIPAA standards
› How to Mitigate: ♦ Write it down! Even if you feel your security practices
are weak, if they are documented that is a huge step for compliance.
♦ You can start with template policies but these will not represent what you do. Modify them to your practices.
♦ Hire someone to help you perform a basic risk assessment and document it.
CLOUD COMPUTING› More and more organizations are putting their
networks “in the cloud.” If the network fails, the entire system is unavailable for the entire organization. Cloud systems are not maintained in the office and access controls need to implemented.
› How to Mitigate: ♦ Have a business continuity plan in place. Consider
the need for redundant systems. ♦ Make sure your organization understands and has a
service level agreement in place. ♦ Understand who may have access to your equipment
and networks.
UN-PATCHED SOFTWARE› Un-patched software leaves programs and
systems open to vulnerabilities.› How to Mitigate:
♦ Stay up to date on patches. ♦ Secure firewalls in place on an organization’s
network.♦ Run virus protection software and enable automatic
updates.
USERS WITH ADMINISTATOR RIGHTS ON THEIR COMPUTERS› Administrator rights gives the user the ability to
install software and make changes to the operating system.
› How to Mitigate: ♦ Give users the minimum privileges they need to do
their job.♦ Have a limited number of people be responsible for
software installation and maintenance.
GENERATION-Y FACTOR› A new generation of workers enters the field
who have grown up with technology and are known as the “click-through” generation. This generation has always had access to technology and the Internet and tends to accept or ignore risks.
› How to Mitigate: ♦ Strong controls over Internet browsing and frequent
employee education.♦ See Risk Number 7
SECURITY BACKLASH› Organizations stop implementing or weaken
security policies because employees and customers feel it’s too hard and time consuming to comply with current policies.
› How to Mitigate: ♦ Employee education about the risks of security and
not just on what they have to do. ♦ Complete training for employees and customers on
the security tools in place to ease the strain of use.
MEDICAL IDENTITY THEFT› Patients may divulge too much information to
the public or to their friends and family members. Social networking sites pose a risk of phishing for sensitive information, posing a risk of data breeches (HIPAA). Patients also share their insurance or the records are stolen.
› How to Mitigate: ♦ Create policies and procedures for patient
identification.♦ Educate patients on proper steps for reviewing
medical information and claims from Explanations of Benefits.
MOBILE DEVICE SECURITY› Employee or Employer owned cell phones,
smart phones, and tablets connect to networks and have company information on them.
› How to Mitigate: ♦ Require a password to access the device. ♦ Install GPS on the device to locate it if the device is
lost or stolen. ♦ Encrypt e-mail and other company data.
LAPTOPS AND REMOVABLE MEDIA› The portable nature of laptops and removable
media make them a huge threat if PHI is contained on them. Some of the biggest breaches for HCOs have come from lost laptops, flash drives and backup tapes.
› How to Mitigate: ♦ In real estate it’s location, location, location. In this
case the most important thing is encryption, encryption, encryption;
♦ But also education.
And the number 1
security risk is…
THE THREAT FROM INSIDE› The risk of a compromised system, data breeches,
or simply a “curious” employee. Some of the most dangerous attacks come from the inside. These attacks can be the most devastating, due to the amount of damage a privileged user can do and the data they can access. Plus they are very hard to detect.
› How to Mitigate: ♦ Strong access controls. Base network access on job
requirements.♦ Consider background checks. ♦ Provide reasonable access to facilities. ♦ Employee security training.♦ Let employees know that all actions are logged and
can be audited.