As an IT professional in Healthcare, we deal with protecting a lot of patient data. The job covers everything from ensuring employees have the proper tools to communicate safely both internally and externally, ensuring patient data is stored securely, as well as data that needs to be deleted is destroyed without a way for the data to be recovered.
According to the ITRC 2018 end of year report, “from 2017 to 2018 data breaches declined 23%, but exposed customer PLL records are up 126%” and the healthcare industry being the 2nd most exposed. From the report, one can see that even though Data Security and IT professionals are taking the correct steps to protect consumer data, various software vulnerabilities and human error are the main methods hackers are eluding security systems. Taking the correct steps to ensure a company is Health Insurance Portability and Accountability Act (HIPAA) compliant can better help protect consumer data.
From an IT perspective, the first steps to achieve HIPAA compliance is securing communication and Protected Health Information (PHI). Microsoft Office 365 provides the tools to achieve both secure communication and the means to secure patient data. According to HIPAA Journal “all data uploaded to or stored on Microsoft servers is protected by encryption and any data transferred outside of Microsoft facilities is similarly encrypted. However, packet headers and message headers are not encrypted.” This boils down to the software can properly protected, but employees need to be properly trained to ensure HIPAA compliance.
In conclusion, as an IT professional there are 4 major steps to push an organization in the right direction to becoming HIPAA Complaint:
- Installing and configuring a business grade firewall. Firewalls are the first step in blocking unauthorized traffic from reaching your internal network.
- Encrypting computer hard drives. Whether you’re using Windows 10 (earlier releases are NOT complaint) or Mac OS X (the latest) make sure your using the respective hard drive encryption feature.
- Use Microsoft office 365 for communication as well as data storage. Microsoft has provided the tools for organizations to protect electronic PHI from unauthorized access, use, and disclosure.
- Training employees. This step is usually overlooked, but training an employee to watch out for phishing emails, malware links, etc., helps protect his/her machine and the company network.
Sources:
ITRC_2018-End-of-Year-Aftermath_FINAL_V2_combinedWEB.pdf
https://www.hhs.gov/hipaa/for-professionals/index.html
https://www.hipaajournal.com/microsoft-office-365-hipaa-compliant/
HIPAA-Journal-HIPAA-Compliance-Checklist.pdf
Windows-10-and-HIPAA-Whitepaper.pdf
https://www.microsoft.com/en-us/trustcenter/Compliance/hipaa
https://www.hipaajournal.com/hipaa-training-requirements/
