Your Top Five Cyber Risks in Five Clicks with the Free Cyber Risk Analysis

FREE RISK ANALYSIS
Request Demo

Controls for Maintaining HIPAA Security Rule Compliance

down-arrow

The Healthcare Insurance Portability and Accountability Act (HIPAA)’s primary objective is to ensure the protection of patients’ privacy as it relates to sensitive healthcare information. As more Protected Health Information (PHI) began to be stored digitally, in turn giving rise to electronic protected health information (EPHI), the Department of Health and Human Services the mandate of HIPAA to include security measures to protect EPHI. The HIPAA security rule, together with the HIPAA privacy rule, make up a cornerstone security standard for health care information technology teams.

[What is the HIPAA Security Rule?]

Controls for Maintaining HIPAA Security Compliance

Risk Assessment (§ 164.308(a)(1))

As part of the Security Management Process under Administrative Safeguards, a risk assessment enables organizations of all kinds to gain a greater understanding of possible risks that are both common in the industry and unique to the organization. With many enterprises adopting a risk-first approach to information security rather than checkbox compliance, a risk assessment is critical to better understanding the organization itself.

The HIPAA Security Rule specifically cites the NIST RMF as the recommended methodology for a risk assessment under HIPAA. The value of using the RMF risk methodology is the ability it grants to walk that data easily into the NIST Cybersecurity Framework as well. While this can be a long-term undertaking for organizations, working with the RMF sets the foundation for adopting the CSF as well when the time is right.

Designated Responsibility (§ 164.308(a)(2))

Designated responsibility also falls under administrative safeguards. For any organization that is HIPAA compliant, this is probably one of the first controls implemented: ensuring that someone within the organization is responsible for HIPAA compliance.

However, digging deeper into that element, it is critical for any organization handling sensitive data, especially healthcare organizations handling EPHI, to have a clear chain of responsibility regarding compliance and data protection. Expanding on that, having a solution like CyberStrong that enables and tracks the ownership of both assessments as a whole as well as individual controls allows for a clearer understanding of what is getting done to improve security posture and streamline a post-mortem following an assessment or cyber event.

Access Controls (§ 164.312(a)(1))

Access controls range from regularly ensuring that over the course of employee lifecycles, system access is regularly updated, and procedures are implemented to eliminate unauthorized access. While technology plays an essential role in securing an organization, too often, organizations lean on it to supplement weak or potentially nonexistent policies, procedures, and people-centric control actions that can greatly impact the organization’s security.

In this case, it is critical to ensure that the organization makes it a practice to review employee access and limit access to the electronic information systems that store EPHI to only those who need it.

Making Sure the Organization Has the Right HIPAA Security Rule Safeguards

The administrative, physical, and technical safeguards outlined in the HIPAA Security Rule are of course all essential to ensuring compliance with this regulation. Although, health information technology teams must ensure that they implement security measures that also support the unique configuration of risks the organization faces. Furthermore, with the precipitous change in how the world approaches healthcare; the rise of telemedicine, increased reliance on cloud and digital technologies to keep patients safe during the COVID-19 pandemic, it is critical that information security leaders expand their view beyond checkbox compliance and focus on reducing risk.

CyberStrong has enabled healthcare organizations to ensure not just HIPAA compliance but takes concrete steps to a more robust cybersecurity program through unprecedented automation and the ability to crosswalk assessment data from one framework (HIPAA) to another (i.e. the NIST CSF). To learn more about how we are helping healthcare organizations maintain HIPAA compliance and increase resiliency, give us a call at 1 800 NIST CSF, or click, here, to schedule a conversation.

You may also like

How to Streamline Your ...
on December 24, 2024

Many industry regulations require or promote cybersecurity risk assessments to bolster incident response, but what is a cybersecurity risk assessment? For example, cyber risk ...

Alison Furneaux
CISO Reporting Structure ...
on December 23, 2024

The Changing Landscape of CISO Reporting The Chief Information Security Officer (CISO) role has evolved dramatically in recent years. Traditionally reporting to the Chief ...

How to Leverage the FAIR Model ...
on December 19, 2024

In light of the Colonial Pipeline cyberattack, measuring risk is on everyone’s minds. However, quantifying risk is often not easy. So many factors go into determining and ...

Kyndall Elliott
How to Effectively Communicate Top ...
on December 9, 2024

Effective cybersecurity reporting is more important than ever for CISOs, CIOs, and other security leaders in today's complex threat landscape. Reporting isn’t just about sharing ...

November Product Update
on November 27, 2024

The CyberSaint team has been working hard to deliver the latest updates to streamline and improve our customers’ user experience and address their top-of-mind challenges. We’re ...

Putting the “R” back in GRC - ...
on December 5, 2024

Cyber GRC (Governance, Risk, and Compliance) tools help organizations manage and streamline their cybersecurity, risk management, and compliance processes. These tools integrate ...