Will you pass a HIPAA audit?
(Last updated on February 7, 2020)
One of the most valuable types of data is online healthcare patient data. Multiple Health Insurance Portability and Accountability Act (HIPAA) breaches in the past showed that fraudsters obtained the records and filed false claims with insurers or bought drugs that were later resold using fake IDs. It is said that personal medical information is now worth ten times more than credit card data on the black market.
A report released by IDC’s Health Insights group predicts that one in three consumers will have their healthcare records compromised by cyberattacks in 2016 due to lackluster electronic security in healthcare and an increasing number of online patient data breaches.
Medical data is becoming a lucrative target and there’s a greater need to comply with HIPAA than before. HIPAA is in place to ensure security standards must be followed by those who work with health data including healthcare providers, healthcare clearinghouses, health plans and their business associates.
Whether you’re undergoing an HIPAA audit or not, it is important to make sure you have the proper security processes and measures in place to safeguard your data. This article, titled 5 Questions IT Auditors Will Definitely Ask You lists five common questions you have to ask yourself to prepare for an IT audit:
- Do you have a documented security policy?
When evaluating the adequacy and reliability of a security policy, auditors will compare measures outlined in the policy with a company’s internal processes to ensure that they are being properly carried out.
- Are access privileges in your organization adequately granted?
IT auditors will not only verify who has access to what (and why), but they’ll also check a company’s ability to detect insider misuse or abuse of access privileges. Multi-factor authentication adds an extra layer of security to protect against fraud and identity theft. If someone tries to use user account information and password, a second or third form of authentication methods such as mobile verification code or security token would stop unauthorized user from gaining access.
- What methods do you use to protect your data?
Be ready to present reports about your methods of data classification and segregation and prove that your most valuable assets cannot be easily compromised. For example, are you placing data into a 24/7 protected network? Do you have a HIPAA compliant password policy in place for creating, changing and safeguarding passwords?
- Do you have a disaster recovery plan?
A good disaster recovery plan includes information about employees’ roles and responsibilities, how they should react if a security breach occurs, and what they should do to stop data leaks and minimize their negative consequences.
- Are your employees familiar with existing security procedures and policies?
A company will often need to prove that its employees are regularly trained and are informed about existing security procedures. According to Experian’s 2015 Second Annual Data Breach Industry Forecast, employees and negligence are the leading causes of security incidents but remain the least reported issue. Even the best technologies can’t protect your data if your employees continue to engage in insecure practices such as giving out passwords over the phone, responding to phishing emails and storing login information in an insecure location. Schedule ongoing training to educate employees on the latest security threats and what they could do to prevent security attacks.
Becoming HIPAA compliant is only a start. There is a lot more to be done to thwart attacks if you don’t want to end up in the news like Anthem or Blue Cross and Blue Shield. There isn’t a better time to reevaluate your overall security strategy and make security a business priority than now. Specops Password Policy can help you meet your HIPAA password-related requirements.