The biggest challenge in ensuring HIPAA data security is people.
At its core, HIPAA compliance is simply about maintaining patient privacy by ensuring the appropriate access to and use of patient data by your users. Electronic Health Record (EHR) solutions provide detail around when patient data is accessed, but without visibility into what users do with sensitive patient data after they access it, the risk of data breaches, compliance violations, and the investigations, fines, and reputational damage that comes with them, is significantly increased.
Organizations seeking to meet HIPAA requirements for data security and technical compliance are expected to demonstrate proper use of patient data through appropriate administrative and technical safeguards. While most organizations focus their efforts on implementing safeguards that revolve around an EHR system already designed to be HIPAA compliant, today’s computing environments facilitate the ability to repurpose accessed patient data in an unauthorized fashion, quickly, easily, and conveniently. Webmail, cloud-based storage, USB storage, web-based collaboration tools, and even printing are just some of the ways users can improperly save, steal, and share patient data – making the watching of activity only within an EHR a shortsighted strategy, if the goal is to truly be able to demonstrate compliance.
The penalties for a HIPAA data security breach are severe – ranging from hundreds of dollars per record, up to $1.5 million, depending on the tier of the infraction. Avoiding these penalties depends solely on an organization’s ability to ensure proper controls concerning HIPAA technical compliance are in place, and that access to patient data is properly secured.
So, what’s needed is a means to have complete visibility into every action performed by a user with access to patient data – every application used, webpage visited, record copied, file saved, printscreen generated, and page printed. Only then will a covered entity truly know whether patient data has been appropriately accessed and used.
But, compliance to HIPAA isn’t just a technical battle; it’s one filled with policies and procedures that, in conjunction with technology, ensure users are trained, access to patient data is correctly granted, use is appropriate, and compliance can be demonstrated.
In the following 2 blog posts, we will discuss challenges to key stakeholders and ways that Veriato can help address HIPAA data security and technical compliance challenges.
Insider Risk – How Prepared Are You?
Not every company is equally prepared to deal with insider risk. This report outlines the four stages of insider risk maturity and explores how to improve your insider risk preparedness.