Encrypt. Secure data in storage and during transmission. Be prepared – it is not “if” but rather “when” you will be breached. Ensure strong data access controls. Set up strong business associate agreements. These were just some of the messages that were emphasized repeatedly during the NIST and OCR sponsored conference on September 2 and 3, 2015 on “Safeguarding Health Information: Building Assurance through HIPAA Security”.
Starting with Jocelyn Samuels, Director of the Office for Civil Rights, and continuing with Deven McGraw, Deputy Director of OCR, Cora Han from the FTC, Iliana Peters from OCR and many others in the private and public sector, the stage was set with the government agencies clearly explaining the need to comply with HIPAA and other data privacy rules. They highlighted their priorities on education, outreach and enforcement. Complaint investigations and compliance reviews and audits will continue. OCR will also continue issuing more guidelines for compliance.
All speakers and panelists discussed the importance of data controls, having a robust data security plan that is risk based, not compliance driven. They encouraged organizations to focus on their vulnerabilities and known threats, and to address them immediately. If you don’t address your risks, the auditors will expect to see what compensating controls you have in place to mitigate those risks. There was significant focus on having contracts with business associates because a business associate’s breach becomes the covered entity’s breach. An organization must always know where their PHI is located – if overseas, then additional steps may be needed to cover your risk.
The importance of data encryption cannot be underestimated. 57% of known breaches have been due to theft or loss – all of them could have been avoided with use of industry-tested and accepted encryption methods. It is expected that healthcare will continue to be a heavily targeted industry by hackers for valuable private health data, therefore the importance of being prepared cannot be taken lightly.
Security should be part of your decision-making in every part of your business. Be careful of what data you collect and maintain. Dispose of data securely. Ensure that your business associates implement reasonable security measures and verify compliance through oversight. Security is an ongoing process.
By Rema Deo.