HIPAA privacy rule changes – How to prepare
HITRUST is considered a commonly accepted security framework for security within the healthcare industry. Below are a few key areas to not only prepare for a HITRUST certification but are also address recent requirements from some cyber-insurance providers and help to prevent ransomware attacks:
1. Multi-Factor Authentication (MFA)
You will be hard-pressed to find a cyber-insurance carrier that provides a policy without MFA. This solution requires the user to provide more than one way to sign in, typically through an application, phone, or email.
Pro Tip – Email notifications can cause access problems. Consider using phone text, or for a higher level of security, use a phone application such as Microsoft Authenticator.
2. Log Monitoring and Detection
Logging suspicious activities on systems, networks, and security devices are correlated and analyzed to detect possible attacks and prevent or reduce damage to operations.
Pro Tip – With most covered entities low on staff and technical expertise, consider hiring a managed security service provider (MSSP) with a retainer for digital forensics in the event of an incident.
3. Backup and Disaster Recovery
Healthcare companies should regularly backup copies of information and software and tie them into a disaster recovery plan. They should also complete a business impact analysis (BIA) and include SOPs to bring systems online.
Pro Tip – Hire a firm with expert knowledge to help build a cloud-based solution. A solid business continuity plan using a cloud service provider will dramatically reduce complexity and response time.
4. Breach Incident Response Plan
An incident response program will cover detection, notification, communication, and coordination. Training and clearly defined responsibilities are essential in any response plan.
Pro Tip – Perform regular tabletop exercises with different groups within the organization to build awareness and confidence.
Ready to work with us?
The information provided here is for general guidance only, and does not constitute the provision of tax advice, accounting services, investment advice, legal advice, or professional consulting of any kind. The information provided herein should not be used as a substitute for consultation with professional tax, accounting, legal or other competent advisers.