We here at eQuoteMD had the opportunity this week to attend a HIPAA Workshop in St. Louis, Missouri sponsored by the Keane Insurance Group, Keystone IT Consulting, and the Sandberg Phoenix & Von Gontard law firm. The focus of this workshop was IT Security, specifically as it applies to the healthcare industry in light of HIPAA and other regulatory laws. While IT can seem daunting to those outside the field with all the tech talk and the ever changing technology, it’s important for doctors and/or their office managers to get a handle on what is necessary to achieve compliance. We’re now in an era where it’s simply not enough to install a firewall and a virus blocker and hope nothing happens. The rules have changed, and audits are happening with greater frequency than ever. Perhaps more importantly though, with the widespread adoption of electronic protected health information (ePHI), practices have a greater obligation than ever to ensure their patients’ privacy and the protection of their data.
In some cases this may mean getting educated yourself, but often it will also mean partnering with someone that can shepherd you through the process of becoming and remaining compliant. IT security professionals make it their business to keep up with the two moving targets that form the twin focus of IT security: public policy and technology. And it was from those two perspectives that our workshop presenter spoke as he educated us on some of the crucial elements of IT security for a medical practice.
Here are some of the topics we covered during the course of the workshop:
- Developing a culture of being educated about Information Security. This is the place to start and perhaps the hardest sell. You don’t have to know everything and yes, you can hire professionals to help you, but as our presenter stressed, Information Security is not something you simply bolt on to a fully formed organization. It should be part of the design of your practice from the ground up, and it should be integrated at every level.
- Missing or outdated security policies. The first question is: do you have security policies? Then the second is: if so, when is the last time they were updated? Reviewed? Thought about? Security policies aren’t just documents that can be created and put on a shelf. They have to be dynamic and flexible because technology and the law both change. For instance, if your security policies haven’t been updated since the changes to HIPAA that have gone into effect over the past few years, they are almost certainly woefully out of date and unable to guide you toward compliance.
- Preventing end user over access. The goal should always be for users to have only as much access to secure data as they need to perform their jobs. But our tendency is to give out more access than necessary, just in case we need it. The presenter emphasized that limiting end user access is one important way that we can protect ourselves from ourselves.
- Avoiding missing security patches. This is a pretty simple point, but it’s one that often gets overlooked. It can be such a hassle to update systems that we are familiar with that we before we know it we’re working with software that is out of date and thus not secure. Windows XP anyone?
- Ensuring mobile device and remote access security. This is one of the most challenging aspects of information security today. The prevalence of “prosumer” devices (i.e. devices that are used both for personal purposes and to access data from one’s professional life) such as smart phones and tablets means that data that needs to be secure is everywhere. While there are plenty of challenges in this area, working with your IT professional to limit data to secure servers that are merely accessed by these types of devices rather than allowing sensitive data to be stored locally on multiple devices is one of the first and most obvious steps to take. Another is to have and enforce strict policies regarding remote access of data and device security. It may not be the most popular policy, but it’s vital to protect your patients and your practice.
- Understanding the stages of compromise and detection. This is a huge topic that our presenter was only able to scratch the surface of, but if there was one takeaway it was this: be prepared. You have to have plans both for detecting a serious breach, and for responding to it. You have to be able to assess the degree of the compromise, and then know how to contain the problem, eradicate the cause, recover from the damage, and learn from incident.
This workshop was a great opportunity for us to learn and think through the challenges that those of you in the medical community face when it comes to balancing data security with the day to day tasks of running a successful practice. One of the biggest takeaways for us was the importance of not viewing those two goals (data security and running your practice) as being in competition. A healthy long term approach to data security sees it as a fundamental part of the practice and one of the components that makes for the successful day to day operation of a healthy practice.
If you’re near the St. Louis Metro area keep an eye out for the next HIPAA seminar. They are held every few months on various topics related to HIPAA and compliance. We’d love to see you at one.