HIPAA privacy rule changes – How to prepare

On January 5, 2021, Cybersecurity Safe Harbor Provision was added to the HITECH Act. The bill encourages covered entities to adopt an appropriate level of security to protect their operations. As long as a covered entity adopts a commonly accepted security framework, it will reduce financial penalties in the event of a data breach and requires OCR to decrease the length and extent of data breach audits and investigations.

HITRUST is considered a commonly accepted security framework for security within the healthcare industry. Below are a few key areas to not only prepare for a HITRUST certification but are also address recent requirements from some cyber-insurance providers and help to prevent ransomware attacks:

1. Multi-Factor Authentication (MFA)

You will be hard-pressed to find a cyber-insurance carrier that provides a policy without MFA. This solution requires the user to provide more than one way to sign in, typically through an application, phone, or email.

Pro Tip – Email notifications can cause access problems. Consider using phone text, or for a higher level of security, use a phone application such as Microsoft Authenticator.

2. Log Monitoring and Detection

Logging suspicious activities on systems, networks, and security devices are correlated and analyzed to detect possible attacks and prevent or reduce damage to operations.

Pro Tip – With most covered entities low on staff and technical expertise, consider hiring a managed security service provider (MSSP) with a retainer for digital forensics in the event of an incident.

 3. Backup and Disaster Recovery

Healthcare companies should regularly backup copies of information and software and tie them into a disaster recovery plan. They should also complete a business impact analysis (BIA) and include SOPs to bring systems online.

Pro Tip – Hire a firm with expert knowledge to help build a cloud-based solution. A solid business continuity plan using a cloud service provider will dramatically reduce complexity and response time. 

4. Breach Incident Response Plan

An incident response program will cover detection, notification, communication, and coordination. Training and clearly defined responsibilities are essential in any response plan.

Pro Tip – Perform regular tabletop exercises with different groups within the organization to build awareness and confidence.

Published on January 26, 2021