Finding the Right Balance for Your Organization: The Difference between Base HIPAA Compliance and Cybersecurity Best Practices
When organizations are making decisions about implementing privacy and security controls, whether in preparation for EHNAC Accreditation, HITRUST, other certifications, or simply HIPAA/HITECH compliance, the area of cybersecurity best practices can cause confusion.
The two most important things to know when implementing healthcare cybersecurity policies and procedures in your organization are:
- Your Organization
- What is required versus what is recommended as a Best Practice?
Know Your Organization
Understanding your organization’s compliance stance, risk tolerance, the people who implement the work, and the technology and tools aiding them, are recommendations to assuring successful compliance with privacy and security. These requirements include understanding the landscape of your organization from the perspective of workforce members. Consider the following:
- Do workforce members come on-site to conduct business or are they allowed to work virtually or in alternative locations?
- How is your business subject to HIPAA as a Covered Entity? A Hybrid Entity? A Business Associate?
- What is the status of current written policies, procedures, and risk tolerance as they relate to the administrative, physical, and technical aspects of the data you handle?
- Is your data classified (Protected Health Information versus Personally Identified Data or additional categories which include, but are not limited to confidential business information)?
- Do you conduct ongoing threat and risk analysis? What kind of ongoing monitoring occurs?
- Can data be wiped technically from any mobile devices with PHI at a moment’s notice?
- Can you provide a current inventory/asset list of all hardware and software?
- Do you know who your downstream business partner(s) are, how they handle the data you entrust to them, and whether or not they conduct ongoing risk analysis to safeguard the PHI?
- Is there a process to constantly stay current with standards and best practice recommendations such as the NIST Cybersecurity recommendations or the 405(d) Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients document?
Know what is required versus Recommended as a Best Practice
Organizations subject to regulatory requirements, such as the HIPAA Rules, must implement minimum standards to safeguard their data.
Organizations may want to consider implementing additional measures and industry best practices including the 405(d) Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients document which outlines the five major threats facing the healthcare industry and ten practices that can be used to mitigate them. NIST or other Standards Development Organizations, which offer educational materials on privacy and security topics, can also be used to supplement regulations.
When considering whether to implement these best practice recommendations, staff must balance the risk of not implementing the best practice against the cost and/or complexity of implementing it for your organization. There are many factors to consider for every organization, including risk tolerance and exposure, scale, data and PHI flow, business partners etc. Be sure to document the rationale as to why a standard or best practice is or is not applicable to include in your policies and implementation practices. This type of information is important to include in your risk analysis to assure reconsideration in the future as your organization evolves and/or technology changes. Cybersecurity risks are enterprise risks. These risks can affect every aspect of your organization including your reputation. The most important risk is patient safety, which is the corner stone of every organization. Determining the appropriate balance between which best practices to implement and what are required by regulation for the data you handle is an important aspect of the cybersecurity assessment and implementation process. The criticality of properly assessing needs, requirements, applicable standards, need for third party services, and which cybersecurity best practices to employ are all factors in determining your strategy and tactics for your organization.