The Healthcare Insurance Portability and Accountability Act (HIPAA) has been a reality for the medical and insurance communities since 1996, resulting in a higher level of accountability for those involved with the transfer and storage of medical data relating to patients. This data, referred to by HIPAA as Protected Health Information and Electronic Protected Health Information (EPHI) HIPAA Compliance Solution, requires that protected information remains confidential and that it is not disclosed to any unauthorized parties. Failure to secure EPHI can result in lawsuits, loss of revenue, and fines for the offending business.
As communications technology has evolved so has HIPAA, resulting in problems for many corporate IT departments. Many of the technological tools present in the workplace today, such as laptop computers, removable storage devices, and wireless networks, pose specific threats to HIPAA compliance. As a result, organizations must control access to information; not a problem within a traditional office setting but in an organization with remote workers or wireless capabilities, the solution becomes more complex.
Fortunately, in the last two years, software solutions from companies such as Safend, have emerged which allow organizations to continue to utilize productivity-enhancing tools while maintaining the highest level of information security. These solutions work by preventing unauthorized information data transfer or “leakage”, integrating into existing corporate architectures and ensuring that virtual security breaches are contained.
Regardless of which technological tools you choose to deploy, there are three key steps you can take to minimize information leaks and facilitate HIPAA compliance:
- Evaluate potential data leaks
The first step in any security planning exercise is to evaluate the outstanding
vulnerabilities within the network. Not only is this a good practice, it is a HIPAA
requirement. This process requires running a network auditing tool that allows the system administrator to collect information from each corporate PC or laptop (endpoints) and deliver a comprehensive list of which devices, ports and connections are available for use. Identifying which connections are being used and how they are being used (file transfers vs. entertainment activity) is extremely crucial in pinpointing weak spots and potential leaks in an organization’s network.
- Establish access policies
Once you have determined where your vulnerabilities lie and which devices, connections, and ports are open and available for use, develop a specialized plan to establish access level policies for specific users and types of data. For example, does a temporary employee require the same level of information access as a product manager? Who will be allowed to download information to work from home? Which types of storage devices may they use? Which remote employees will be allowed to login to the corporate network and which areas will they be allowed access to? Your new plan must include access levels that meet the specific HIPAA requirements relevant for your business.
- Implement and enforce policy compliance
Once you have established and communicated corporate access level policies, implement them on your organization’s endpoints (laptops, PCs, etc.). The access rights of users should be monitored periodically, as required by HIPAA, to ensure that policies are being followed. Software can be installed to enforce the policies at the endpoint by limiting information flow from the endpoint to external data destinations. For example, a Medicare billing clerk can be allowed access to a patient’s electronic chart while the human resources team is denied access to those files. Restrictions can be associated with a particular device, port, or even by file. Ideally, software used to enforce policy compliance will collect logs and generate reports that record every instance of attempted access, any restricted activity, and the transfer of data. Such tools will assist in providing an information trail as well as satisfying the data accountability tenets of HIPAA.
Final Analysis
Utilizing data protection solutions that address endpoint vulnerabilities augment HIPAA safeguards and can integrate with existing organizational access privileges to control the flow of information. This three-step approach tackles the difficult job of making sure that data leakage has minimal impact on HIPAA compliance and offers tools to manage the protective aspects and audit requirements of the regulation. Additionally, quickly deployable technical controls can easily be integrated into existing policies. Without this type of endpoint security strategy, organizations face serious cracks in any infrastructure designed to be HIPAA compliant.