The rules and regulations for HIPAA compliance are quite lengthy. Sometimes a little, innocent mistake could come with a tremendous fine for the violation. It’s enough to keep anyone awake at night.
The general rule of thumb is that it will take you a few years to get up to speed with HIPAA because it’s worse than some of IT government contracting documentations. While it’s important to understand the ins and outs of HIPAA compliance, it’s even more important to hire a team of IT professionals who can help you get a better grasp of HIPAA rules while at the same time protect your data and protect you from costly HIPAA fines.
With that in mind, here are some things you should know about HIPAA regulations and what you need to know about off-site storage and backups.
It’s important to know that it’s not just HIPAA. HIPAA is the overarching regulation, but there is also the HIPAA Security Rule and the HITECT Act as well. Both of those factor into HIPAA compliance, especially the HITECT Act, which was enforced in 2009.
The Health Information Technology for Economic and Clinical Health, or HITECT, Act was enacted as part of the American Recovery and Reinvestment act of 2009, to promote the adoption of meaningful use of health information technology.
The HIPAA Security Rule is dedicated to the protection of electronic Protected Health Information (ePHI).
Before calling a managed services provider to help you with off-site storage and backups, you’ll need to verify the type of data you’re using. There is a lot of data that can go through your office – some of it is covered by HIPAA and some isn’t.
It’s very important to understand the difference. You could end up saving your company a lot of money by running standard backups for some data, but moving the ePHI files into encrypted sites – or the disaster recovery sites, like the ones available at Swift Systems with their virtual data center.
Next, you need to identify the ePHI, when it has to be moved and, once it is moved, it has to be encrypted as it travels through the secure lines. The information that goes through the Internet has to be protected, usually with 128-bit encryption.
You should ask yourself, does your company have a firewall that can handle setting up a site-to-site VPN with a vendor, such as Swift, to the cloud, or will you need the infrastructure to handle it? These are all questions Swift can help you better understand.
It might sound harsh, but it’s true. The human component is the major weakness for HIPAA compliance and it always will be. Not everyone is an IT person and not everyone thinks on the same level as an IT person, even though services providers do their best to educate. You can only educate so much. It’s up to the person to accept and adopt, and if you don’t, you will always have that risk.
It’s important to understand that in facilities that deal with HIPAA compliance (doctor’s offices, different medical offices, etc.), there’s a lot of turnover. A lot of new people come and go. Nurses and other people who work in these offices, in general, don’t have a very high level of IT experience, or they don’t understand what is required in order to do the basics, which is absolutely essential. It’s the first step in this entire process.
You can forget the backups and all of the protection of data outside of your site. What it boils down to, in HIPAA compliance, is not using a Post-It note to put your password on your monitor, which is extremely common. Sometimes nurses will leave multiple passwords with usernames attached stuck to a monitor so any nurse can use anyone else’s login information. This is a major violation of HIPAA compliance rules.
The basic rules of “keep it simple, keep it safe” is absolutely essential. With Swift Systems, we make sure our clients learn about the industry best practices, such as Microsoft Secure Password requirements – a minimum of eight characters, the capital letter, the lowercase letter, the number, and the special character – for all of their passwords. No more using “password1.” There will be no storing of passwords in clear text anywhere on the network or in plain view where anyone could access it. You don’t want people to just randomly walk by, see the password, and log into the system.
On May 12, the WannaCry ransomware attack shut down several hospitals in England and targeted businesses across more than 100 countries. The number of ransomware attacks continue to increase every year.
It’s not just the backups that are affected by ransomware. Any active data is also affected. Swift Systems has partnered with a company called Sophos and uses their antivirus and their firewalls. Swift also has their newest product, Intercept X.
Intercept X is an anti-ransomware program that is not signature based. The program is behavioral. It looks for very specific behaviors of an attack, such as ransomware, where all of a sudden, your files are being encrypted when they shouldn’t be. Sophos looks for these behaviors and the log it has identifies itself as something malicious, immediately puts a stop to it, and rolls back the changes to right before the first change started. That’s how Swift is protecting at the machine and server level against ransomware.
To be fully HIPAA compliant, you must have a business agreement with the client. That’s the first step. There was a lot of talk about cloud backups initially, going back about five or six years ago. There were two big providers – Microsoft Azure and Amazon Web Services.
Microsoft Azure did offer business agreements right off the bat, and therefore were HIPAA compliant. Amazon Web Services would give you the tools you needed to become HIPAA compliant. So, there was a big community discussion regarding that. Having the agreement is the first part.
The environment itself is also important. Confidentiality, the integrity of the network, and security – everything must meet a lot of standards so the data is safe. Whenever you have that backup that’s not in regular use, it has to be protected at a regular level as well.
The data must always remain retrievable. It’s not optional. Just to have a backup, you must be able to retrieve any copy of an ePHI that would be necessary for auditing purposes. It’s important to be able to restore files quickly and accurately.
At Swift, we work hard with any company that comes to us for assistance, especially when it comes to HIPAA compliance. Education is absolutely key, and documentation is also a big part – our engineers document everything.
We also provide industry best practice documentation as well. We can do on-site training. But we like to “train the trainer,” if at all possible, so that they can take what they learn from us and move on throughout their organization. Then, of course, we can move down the line of policies and everything else – monitoring the systems, etc.
If you’re losing sleep at night worrying about HIPAA compliance, we’re happy to help ease those worries so you can get some sleep! Contact us today so we can talk about how to make your office HIPAA compliant.
IT systems are foundational to modern businesses. Too often, that foundation is unsteady. Unpredictable outages, insecure networks, and unreliable performance from mission-critical systems can jeopardize your entire business.
There’s a better way. Learn how.