10 Actions for Business Associates to Build a Strong HIPAA Compliance and Cybersecurity Program
While most healthcare organizations agree that Health Insurance Portability and Accountability Act (HIPAA) compliance is paramount and a robust cybersecurity program is a must, the reality is the industry, as a whole, has many challenges when it comes to building these programs from the ground up.
From a shortage of trained, qualified professionals, to a lack of funding and executive support, many organizations just don’t have the people, processes and tools they need to effectively and efficiently build and maintain these programs.
Too often organizations are bogged down trying to understand the requirements or buying expensive tools in an attempt to find quick fixes instead of establishing the fundamental governance structure and implementing the processes necessary to achieve the objectives that are demonstrative of effective compliance and cybersecurity programs.
But meeting these challenges head-on is paramount, and if you’re a vendor, effective HIPAA compliance and cybersecurity programs aren’t just good for business, it can help you stand out among your competitors.
So, if you’re a vendor, how can you ensure you’re not only meeting cybersecurity and compliance requirements, but you’re also quickly closing new opportunities and mitigating unexpected expenses and delays related to cybersecurity and compliance inefficiencies?
Here are 10 Ways You Can Turn Your HIPAA Compliance and Cybersecurity Program Into a Competitive Advantage:
- Set privacy and security risk management and governance program in place
Like building a house, your risk management, cybersecurity program, and HIPAA compliance programs should begin with a solid framework.
When it comes to compliance and cybersecurity, there are a variety of existing frameworks from which you can build.
One example is the NIST Cybersecurity Framework. Intended for organizations in critical infrastructure industries, such as healthcare, this framework lays out the security objectives and activities an organization should adopt as part of a comprehensive program. It also provides references to standards, best practices, and guidelines to assist organizations in understanding how to best execute the identified activities. Perhaps best of all, this framework is free to any organization and available along with supporting documents on the NIST website.
When using the NIST Cybersecurity Framework or any other framework, be sure to map your organization’s requirements, including the HIPAA requirements, into your organization’s target profile. While unofficial, the Office for Civil Rights (OCR) has mapped the HIPAA Security Rule requirements to the NIST framework and made the mapping publicly available. It’s a great way for all organizations, regardless of size or budget, to adopt a framework to start and build out your program as it matures over time.
- Develop and implement HIPAA privacy, security, and breach notification policies and procedures
After picking your framework and creating a target profile, you’ll need to begin implementation. This should include developing and implementing HIPAA privacy, security, and breach notification policies and procedures.
At a minimum, you should include all the policies and procedures required for your organization’s compliance.
Not sure where to begin? Many organizations have HIPAA policy and procedure templates you can use to ensure you meet those strict requirements.
- Train all members of your workforce
Next, it’s important to educate team members throughout your organization about your programs so they understand the policies and procedures you’ve created.
Some policies and procedures will be applicable to everyone. Some will be applicable only to specific people or job functions. With appropriate training, you can help your team members understand what they’re expected to do, when they need to do it, and how to handle their related roles and responsibilities. Make sure the right people get the right information they need to facilitate compliance and cybersecurity success.
- Complete a HIPAA security risk analysis
It’s important to understand where you have risks within your organization’s IT ecosystem, what those risks are, and how significant they may be. It is important to remember that for many organizations that ecosystem extends well beyond your organization to the vendors with whom you exchange information and who provide IT related services.
As part of HIPAA requirements, your risk analysis should include all of the systems used to create, maintain, receive, or transmit electronic protected health information (ePHI).
But don’t forget to include your non-HIPAA related operational systems such as your finance software or human resources solution. These and similar systems are critical for your operations, so you should clearly understand all the risks associated with their operations as well.
Make sure as you identify threats and vulnerabilities to your systems, you understand the likelihood of the threats acting on the vulnerabilities and the potential impact to your organization if that were to happen, the existing and potential controls that are and could be used to mitigate those risk by either reducing the likelihood or impact. This will help you prioritize your efforts to manage your risks.
Here’s an example: Let’s say Company A uses a third-party vendor to process insurance claims. A lot of ePHI will be exchanged between Company A and the claims vendor. If you’re the vendor, you’ll need to have sufficient security controls in place to give Company A a level of comfort that the risk to them and their patients is acceptable before they will contract with you. Typically, Company A will send the vendor a survey or questionnaire to understand their risk. If the vendor has done a comprehensive risk analysis, they are in a position to promptly and effectively respond to the survey.
- Address HIPAA security risk management
Once you’ve completed your risk analysis and know what and where your risks are, you need to treat those risks. There are several options including accepting, avoiding, transferring or mitigating each risk. In most cases you will look to mitigate risks. This involves selecting and implementing controls that reduce the risks to levels that are acceptable for your organization. As mitigating controls are selected, decisions will need to be made on who will be responsible for implementing the controls, who will handle specific tasks during implementation, and when the implementation will be completed. It’s important to track your mitigation and remediation progress and follow-up as this is both a best practice and required under the HIPAA Security Rule.
- Complete a HIPAA security evaluation
Next, you should have a HIPAA non-technical evaluation performed. When a HIPAA non-technical evaluation is conducted, the evaluator is looks at how well your organization has done in adopting security policies and procedures as required by the HIPAA Security Rule. During this examination the evaluator may discover gaps in your security program. The gaps represent areas where your organization can continue to improve in implementing your HIPAA compliance and security programs.
- Complete technical testing of your environment
After completing a non-technical review of your HIPAA security, you should also tackle technical testing. Unlike the non-technical evaluation that focuses on policy and procedures, technical testing will help you to discover whether or not you have weaknesses within your existing IT infrastructure and applications.
For example, you could do vulnerability assessments, penetration testing, and web application testing. During these tests, you’re assessing the existing technical and, in some cases, physical controls of your systems and infrastructure. Just as with the non-technical evaluation, weaknesses and vulnerabilities identified during testing should inform future risk analysis.
Don’t forget the importance of routine retesting to ensure your processes and controls work as you designed and you don’t have any new vulnerabilities within your system.
Leading organizations now include anti-phishing campaigns as part of their technical testing program. Unlike traditional technical testing that looks for technical vulnerabilities, anti-phishing campaigns assess how vulnerable your workforce is to email based social engineering attacks. Currently this is the most common method bad actors use to introduce malware into healthcare organizations and identifying opportunities for and providing additional training can be a very effective risk reduction investment.
- Implement a strong, proactive business associate management program
After completing technical testing, it’s time to evaluate the risks associated with your business associates. If you’re a vendor, you may also work directly with other vendors. That means, just like the organizations you work with who put you through risk assessments, you should do the same with your own vendors.
Understand related risks of working with each vendor. Be sure you have a vendor management program so you can evaluate those risks and make decisions on whether the risk level is acceptable to your organization. If not, you can always seek a new vendor and complete additional assessments until you find the one that most accurately meets your risk mitigation requirements. Also, consider if you need to have a business associate agreement in place with the vendor as required by HIPAA.
- Complete Privacy Rule and Breach Rule compliance
It’s important to understand to what extent you need to manage privacy. Know where you are relative to your applicable HIPAA privacy and breach rule requirements. There are significant potential financial penalties associated with breaches much of which may be avoided or reduced if you are compliant with applicable laws and regulations including HIPAA.
- Document and act upon a remediation plan
Rinse and repeat. This is an ongoing program. You should continuously document your progress, create and maintain a remediation plan, and follow through. These steps will help strengthen your program over time.
Creating robust cybersecurity and HIPAA compliance programs helps you differentiate your business from other vendors. With these programs in place—and maturing—you can demonstrate to covered entities that you can respond promptly and positively to security questionnaires and you have everything you need for great business associate agreements.
These steps can help you show potential customers that if they work with you, there are reduced risks compared to competitors.
The ClearAdvantage® Program for Business Associates can give you a competitive edge when it comes to creating your privacy and security programs. We can help you create, implement, and improve your programs including risk management and governance, policy and procedure development, risk analyses, compliance assessments, gap analyses, risk remediation, scanning and reports, pen testing, and more.
Are you ready to start building your program today? Check out our on-demand webinar, Turning your HIPAA Compliance and Cybersecurity Program into a Competitive Advantage, or contact a Clearwater advisor.