Cyber Security and HIPAA Compliance for Senior Living

Patient care is the priority for those working in the Senior Living space.  It’s no surprise then that there isn’t enough time left in the day to deal with the complexities of cyber security and HIPAA compliance for senior living companies.

The Cost of Inaction

Often there seems to be an idea of security through obscurity the prevails in the Senior Living community.  This idea that your operation is too small or not well know enough to be a target for cyber threats.

This is unfortunately a fallacy.  Most cyber criminals use automated attack tools to scan the internet looking for a particular vulnerability.  Once found they automatically execute an attack to gain access to that network.  They don’t have a specific target.  They are looking for an open door or window.

Once inside the network they see what they can get access to.  The goal is almost always to make money, so ransomware has become extremely prevalent in these situations.

The sensitive PHI you control, and the high cost of HIPAA breach notification makes you a prime target for cyber criminals. 

“Global cyberattacks against the healthcare industry are up 74% from last year.” – Brian Schneses Assistant VP and Risk Consultant

“A healthcare data breach is among the costliest types of data breach. The average cost of a data breach across industries was $4.45 million, yet the average cost of a healthcare data breach was the highest among all industries at $10.93 million. Healthcare has seen a significant cost increase of 53.3% over the past three years.”

Piling on top of the breach remediation costs are HIPAA fines you might be subject to as well if it’s shown you weren’t following HIPAA guidelines for securing PHI.

The HIPAA Journal published some info about the fine structure currently in place.  It’s summed up nicely in this graphic.

The bottom line is that cyber security breaches for healthcare organizations are costly.  They can also cause significant downtime that effects your ability to care for patients.

HIPAA Compliance – 3 Main Areas

There are 3 main parts to the HIPAA security rule.  They include technical safeguards, physical safeguards, and administrative safeguards.  We’ll touch on each of these areas briefly, but our main point of emphasis will be technical safeguards because that’s our bit.

Administrative Safeguards

Most of the administrative part of HIPAA deals with ensuring that you have the right policies and procedures in place to allow you to prevent, detect, contain, and correct security violations.  There are a several key points to be aware of.  This is not a completely inclusive list.  We will include a handy checklist for HIPAA compliance that may help you dig into the details further.

  1. Do you have a written security policy?
  2. Does that written security policy identify formal sanctions against employees that fail to comply with your security policies?
  3. Have you done a risk assessment?
  4. Do you have an assigned security offices that is responsible for those policies?
  5. Are you operating on a system that allows the least needed access?
  6. What do you deem appropriate access to EPHI?
  7. Are you doing security awareness training on a regular basis?
  8. Do you have policies for guarding against malicious software, password hygiene, and what to do in case of a security incident?
  9. Do you have a contingency plan in case of emergency?
  10. Do you have a procedure to backup and restore all EPHI?
  11. Do you have a business continuity plan?
  12. Do you have BAA agreements with all vendors that have access to patient data?

There are a lot of details to think about in this list.  The administrative section of HIPAA is about ensuring you have written policies and procedures and drilling that information down to your team.  That way in the unfortunate case of a breach, they know how to act, and what to do to mitigate the potential damage and liability.

Physical Safeguards

The physical safeguards section deals primarily with ways to block physical access to EPHI to anyone without authorization.  We’re talking about basic things like door locks, keycards, placement of networking equipment and servers etc.  A few specifics worth thinking about.

  1. Do you have some way to limit physical access to areas with EPHI?  This would typically be door locks or key cards.
  2. What is your plan to safeguard equipment from unauthorized access or theft?
  3. Can you easily control who has access to the building and shut off access quickly if needed?
  4. Have you restricted the use of portable media so that EPHI can’t be copied and leave the premises?
  5. What is your policy on how old equipment is disposed of?  Do you have a method in place to ensure that all EPHI is removed from the device prior to disposal?
  6. Do you keep a hardware inventory?

The physical safeguards are some of the simplest to comply with.  Get a security system with keycards for your building, ensure that all your servers and network equipment are in a room with a door locked with a separate key.  Restrict removable media usage on machines that access EPHI.  Leverage a solution that allows you to have a hardware inventory and use common sense physical security safeguards.

Technical Safeguards

The technical safeguards are where most senior living professionals could use some help from their IT team.  There are a lot of specific solutions that you need to have in place for HIPAA compliance on your network and some of the implementation can get complex.  Here is a rundown of some of the key things to look out for.

  1. Password protect all EPHI, and limit users to needed access only.
  2. All users must have a unique username and password.  A shared password such as Nurse1 is no ok for HIPAA.
  3. Develop a backup and disaster recovery solution for your IT that allows you to continue to provide patient care in an emergency.
  4. Enable screen timeouts on all machines to close sessions after a predetermined time of inactivity.
  5. Encrypt all EPHI where possible on all laptops and desktops.
  6. Enforce policies for user authentication to any device with EPHI access.
  7. Secure the network with a firewall.
  8. Encrypt your backups.
  9. Secure all desktop and laptops with Endpoint Detection and Response software.
  10. Disable portable media by policy.
  11. Encrypt all email that contains EPHI.
  12. Apply all security patches and updates in a timely manner.
  13. Do a certified wipe on all hardware containing EPHI before it is recycled or reused.
  14. Keep current hardware and software inventories.

Putting the correct cyber security solutions in place to protect your data is key to the success of your HIPAA compliance plan.  If you don’t have an IT team in house to assist with the technical safeguards, we recommend finding a reputable IT provider with experience in healthcare and HIPAA compliance.  Working with the right IT resources can do a lot to simplify your compliance journey and save you time.

Conclusion

It’s often difficult for healthcare professionals to find the time necessary to dig into HIPAA compliance, but doing so should be of high importance.  The risk to your organization is substantial, and you need to have a plan.

Here is a link to our handy HIPAA Compliance checklist.  It’s meant to be a primer and get you thinking about the regulations and key requirements.  We hope its helpful as you work to better secure your EPHI.

Having the right IT partner can be a critical part of compliance.  If this all looks daunting, or the technical solutions needed seem complex to implement, give us a call.  With years of experience helping senior living organizations meet HIPAA requirements our team of experts can help bear the load and assist in putting the technical solutions in place your organization needs.