Contact us at info@uzado.com

Four Measures Your Organization Needs to Achieve HIPAA Compliance

David Millier

HIPAA Compliance Healthcare Survey.jpg

With revisions to federal legislation around the security and storage of health information in the US, many businesses are aware that they need to ensure compliance with standards mandated in the Health Insurance Portability and Accountability Act (HIPAA). But that's left many with a big question: how does my organization become HIPAA compliant?

What Is HIPAA?

HIPAA is a federal legislation from 1996 that governs the security and storage of medical information in the United States. Health information can be important, especially if doctors need to share information with hospitals or other practitioners. But this kind of information is also very sensitive, and the act is designed to keep patients and their medical records safe in the digital age.

What Does It Take to Be Compliant?

Businesses become HIPAA compliant when they follow the standards of practice set out in the law. With the passage of the Patient Protection and Affordable Care Act of 2010 and the subsequent rollout of changes to the US medical care program, there has been a renewed focus on HIPAA and its standards.

Any company that deals with protected health information must comply with HIPAA. To do so, the business must ensure that the following four measures are being followed: physical, network, process security measures and “addressable” measures.

Physical Security Measures

Perhaps the simplest part of being HIPAA compliant is ensuring that physical security measures are in place and followed. These requirements focus on physical access to information and the workstations they're accessible from. To be compliant, you'll need to implement workstation security. This includes policies and procedures for workstation use that identify the work to be done and how it is to be done at that station, as well as protocols around the disposal of media and equipment that may have stored health information on it. Procedures addressing how to remove information from reusable media are also required.

Network Security Measures

There are 5 requirements in HIPAA that address network and network access in order to provide more security for sensitive health information. To be HIPAA compliant, you must implement unique user identification to facilitate tracking, create an emergency access procedure, and implement audit controls to record and monitor systems and workstations that collect and store electronic health information. You must also have an authentication process to ensure that someone requesting access to health information is the person they claim to be.

Process Security Measures

These administrative measures are probably the most difficult to implement—and the most important. To be compliant with HIPAA, your organization must perform risk analysis and risk management and have proper procedures in place. You must also designate HIPAA officers to monitor compliance. You must regularly audit and review use of workstations. Sanctions also need to be in place to discipline employees in breach of policy. If multiple organizations will have access to files or workstations, you need to ensure that only those who are authorized will have access to health information. You are also required to develop a contingency plan to protect sensitive health information in an emergency. You are required to evaluate your compliance and update it when necessary, and when you enter into an agreement with another business, you are responsible for ensuring that they will operate in compliance with HIPAA.

Addressable Measures

In addition to the required measures, there are also a number of items that HIPAA considers "addressable." While businesses aren't required to implement these measures to be HIPAA compliant, these additional measures provide added security for sensitive health information. These measures range from having a facility security plan to and clients. protecting your systems against malware. These items should be addressed by businesses dealing with health information—not just to be compliant with the law, but to provide more security for patients.

To learn more on how Uzado can help your organization become HIPAA Compliant, click below to request a demo.

 Request A Demo

Read More
Topics: Compliance, HIPAA Compliance, Security

Cybersecurity and Health Care Don’t Mix… Said No One…

Alix Postan

1% of Health Care Organizations say they are not vulnerable to cyber-attacks.security-health-IT.jpg

The truth is, Cybersecurity and Health Care should be much more intertwined. HealthCareCAN and the Canadian College of Health Leaders requested that IPSOS survey health care professionals in March 2017, after the WannaCry Ransomware virus spread throughout 310 countries and shut down 16 hospitals in the UK. As a result of the malware attack, Canadians wanted to know, how secure is their healthcare system – hence the survey.

The United States has a protection act (Health Insurance Portability and Accountability Act – HIPAA) which requires healthcare services to mandate a certain level of cybersecurity within their organizations. In Canada, we have PIPEDA (Personal Information Protection and Electronic Documents Act), which is applicable to federally-regulated organizations (i.e. banks and telecommunications companies) and private-sector organizations. According to McMillan, PIPEDA was amended in 2015 with regulations for responding to a breach or an attack; however, still lacks preventative regulations.

According to the HealthCareCAN and the Canadian College of Health Leaders’ 2017 survey, 85% of hospital CEOs, department heads, medical directors and other senior health administrators say their organizations are vulnerable to cybersecurity attacks. 85%!! The survey found that 90% of these institutions were confident that they are prepared for natural disasters (floods, fires, ice storms, etc.) or man-made emergencies (terrorist attacks, infrastructure failures, etc.) – but not cybersecurity.

The poll also indicated that 32% of health leaders believe there’s an urgent need for the federal government to become more involved in “setting up standards, oversight and providing leadership to address cybersecurity.” That’s followed by “security monitoring/protection” (22%); “provide funding” (19%); “address IT/cybersecurity issues” (13%); “help with infrastructure” (12%); and “providing plans/strategies” (9%).

The statistics from this article are derived from GlobeNewswire.

For more information on becoming HIPAA Compliant, click here.

Why Compliance Does NOT Equal Security

Read More
Topics: Compliance, HIPAA Compliance, Security

Secure Payment Terminals gain ‘Lift off’ with Lufthansa

Alix Postan

Lufthansa.png

If you’ve ever been to an airport (any airport in the world), the first thing you’ll notice are, lineups. There are snaked lines at the check-in counters, lineups at the kiosk before the check-in counter, lineups at the coffee shops around the corner from the check-in counters; but I think you get the point.

Lufthansa has recently signed a deal with Amadeus and Ingenico, to bring in secured payment systems, called “Amadeus Airport Pay”. These payment terminals will be at every check-in counter, so that customers can pay any additional fees, right there and then. Previously, customers would have to go to another area and line up to pay the added fees (of course). Now that the check-in counters will have these payment terminals, passengers will have one less lineup to worry about - providing a service that emphasizes convenience and will save you more time and less aggravation.

Here’s the important part! The Amadeus Airport Pay terminals are secure to use, as the terminals meet compliance standards for the Payment Card Industry (PCI) requirements. By requiring PINs for credit card payments, the payment process, itself, remains secure.

Lufthansa projects that these payment terminals will be instituted into 170 airports across the world.

For more information on PCI compliance standards,and how Uzado can help you become PCI Compliant, click here.

Watch our Video

Read More
Topics: Compliance, Security

Compliance Does Not Equal security

David Millier

Being_Compliant_Does_Not_Mean_Your_Business_Is_Secure.jpg

It’s a serious mistake—and one that too many people make all too often: assuming that your business is secure simply because you’re compliant with all current standards and legislation. Compliance simply isn’t enough to guarantee that your business is as secure as it could possibly be.

A Good First Step

Compliance is the starting point of security for many companies. For example, businesses that want to accept credit card payments will need to ensure they’re compliant with the PCI standards. Standards exist within industries to ensure businesses adhere to some minimum level of security in order to give clients, consumers, and other businesses peace of mind.

But while compliance is a good first step, it is just that: a first step. It is not the end of your business’s security journey.

The Problem with Compliance

Problems arise when ensuring adherence to various standards and legislations is the only step that businesses take to secure their operations. Most standards and laws contain only minimum requirements. They do not guarantee that you’re doing the most you can possibly do to be secure. While being compliant is better than having no security at all, the bare-bones requirements are often so minimal that they do very little to guarantee security. Take, for example, standards that require only annual scanning of systems. There are plenty of risks that will arise between scans—which means your business could be blindsided by a threat that comes up between scans.

Going Beyond

Once your business is compliant with the standards and legislation governing your industry and operations, it may seem like you don’t need to do much more to guarantee your security. After all, no one is asking you to do any more, so becoming compliant should be enough.

This is where many people make the fatal mistake: simply equating compliance with security. For your business to truly be secure, you need to go a step beyond. You must do more, even if a governing body isn’t asking you to. It may not seem cost-effective or efficient, but taking the extra step to ensure your business’s security is vital to your own operations.

What Should You Do?

Taking the extra step beyond compliance can seem like an enormous leap. After all, standards tend to set out measurable steps and finite guidelines for what you need to do. After you’ve become compliant, however, there’s much less in the way of guidelines; after all, if you only need to scan your systems once per year, no one is going to check if you’re going above that duty and scanning on a monthly basis.

Security can take many different forms once you’ve moved beyond simple compliance. You might opt to scan your systems more frequently; some businesses will do vulnerability scans once a month, or even more often. Other businesses will employ vulnerability management software to help them stay on top of potential risks. One of the best steps you can take is to adopt a risk-based approach to vulnerability management, which allows you to rationalize your IT security operations. Some standards will even outline additional or optional steps a business can take to ensure their security.

The Benefits

You need to move beyond simple compliance for your own peace of mind, so the methods you use to ensure your business is secure are largely up to you. Although the initial costs of engaging in additional scans or adopting vulnerability management software may seem daunting, the benefits far outweigh the costs. Mitigating risks, both known and unknown, now and in the future, is imperative for any business owner.

Why Compliance Does NOT Equal Security

Read More
Topics: Vulnerability Management, Compliance, Security