Will you pass a HIPAA audit?

Will you pass a HIPAA audit?

One of the most valuable types of data is online healthcare patient data. Multiple Health Insurance Portability and Accountability Act (HIPAA) breaches in the past showed that fraudsters obtained the records and filed false claims with insurers or bought drugs that were later resold using fake IDs. It is said that personal medical information is now worth ten times more than credit card data on the black market.

A report released by IDC’s Health Insights group predicts that one in three consumers will have their healthcare records compromised by cyberattacks in 2016 due to lackluster electronic security in healthcare and an increasing number of online patient data breaches.

Medical data is becoming a lucrative target and there’s a greater need to comply with HIPAA than before. HIPAA is in place to ensure security standards must be followed by those who work with health data including healthcare providers, healthcare clearinghouses, health plans and their business associates.

Whether you’re undergoing an HIPAA audit or not, it is important to make sure you have the proper security processes and measures in place to safeguard your data. This article, titled 5 Questions IT Auditors Will Definitely Ask You lists five common questions you have to ask yourself to prepare for an IT audit:

  • Do you have a documented security policy?

When evaluating the adequacy and reliability of a security policy, auditors will compare measures outlined in the policy with a company’s internal processes to ensure that they are being properly carried out.

  • Are access privileges in your organization adequately granted?

IT auditors will not only verify who has access to what (and why), but they’ll also check a company’s ability to detect insider misuse or abuse of access privileges. Multi-factor authentication adds an extra layer of security to protect against fraud and identity theft. If someone tries to use user account information and password, a second or third form of authentication methods such as mobile verification code or security token would stop unauthorized user from gaining access.

  • What methods do you use to protect your data?

Be ready to present reports about your methods of data classification and segregation and prove that your most valuable assets cannot be easily compromised. For example, are you placing data into a 24/7 protected network? Do you have a HIPAA compliant password policy in place for creating, changing and safeguarding passwords?

  • Do you have a disaster recovery plan?

A good disaster recovery plan includes information about employees’ roles and responsibilities, how they should react if a security breach occurs, and what they should do to stop data leaks and minimize their negative consequences.

  • Are your employees familiar with existing security procedures and policies?

A company will often need to prove that its employees are regularly trained and are informed about existing security procedures. According to Experian’s 2015 Second Annual Data Breach Industry Forecast, employees and negligence are the leading causes of security incidents but remain the least reported issue. Even the best technologies can’t protect your data if your employees continue to engage in insecure practices such as giving out passwords over the phone, responding to phishing emails and storing login information in an insecure location. Schedule ongoing training to educate employees on the latest security threats and what they could do to prevent security attacks.

Becoming HIPAA compliant is only a start. There is a lot more to be done to thwart attacks if you don’t want to end up in the news like Anthem or Blue Cross and Blue Shield. There isn’t a better time to reevaluate your overall security strategy and make security a business priority than now. Specops Password Policy can help you meet your HIPAA password-related requirements.

(Last updated on November 8, 2024)

Back to Blog

Related Articles

  • HIPAA compliant password manager

    Compliance with industry regulations are extremely important to IT priorities, and cybersecurity. One of the more prominent standards for safeguarding personal data is the Health Insurance Portability and Accountability Act (HIPAA) which provides guidelines for organizations dealing with protected health information (PHI). For sysadmins, compliance with HIPAA requires visibility and technical controls to protect electronic personal health information (ePHI). Naturally, this includes password security in the environment.   To simplify password management for users, and improve password security,…

    Read More
  • HIPAA Security Rule Guidance for passwords

    There are an alarming number of cyberattacks targeting the healthcare industry. In October 2020, the FBI released a security warning to hospitals and government agencies of an imminent danger of ransomware attacks. Attackers were said to be targeting healthcare providers with the Trickbot malware. Trickbot is associated with ransomware attacks, theft of data, and other…

    Read More
  • Securing user passwords: HIPAA vs. HITRUST CSF requirements

    A strong password policy keeps user data safe, and meets the requirements crucial to compliance with HIPAA, and HITRUST CSF certification. Read on to find out what these password requirements are, and how you can achieve them with password solutions from Specops Software. HIPAA and HITRUST CSF Before diving into developing the best password policy…

    Read More