New Health Insurance Portability and Accountability (HIPAA)
rules went into effect last year, causing big waves in healthcare IT that
affect healthcare providers and IT services in San Diego. New, stiffer
requirements mandate stricter security protocols and create a complex liability
chain for all parties involved. Addressing a few confusing myths about the new
HIPAA rules can help clear up common misconceptions for both healthcare
professionals and managed services in San Diego.
Myth #1: Obscurity Means Security
many healthcare providers carry the misconception that obscuring or obfuscating a network ensures information security. Common techniques, such as masking a home router’s SSID or segregating a portion of a network, only offer the illusion of security. While the first method has proven to be obsolete and easily penetrable, the second method still leaves many vulnerabilities through flash drives or other external devices.
Slowing down necessary antivirus patches and software updates can actually make such segregated networks more vulnerable. Despite these glaring flaws, healthcare professionals continue to utilize this method to “secure” Patient Health Information (PHI).
Myth #2: Both Google and Microsoft Email Programs Are HIPAA-Compliant
Office 365 and Google Apps are the most common email applications in the corporate world, but only Microsoft should actually be considered HIPAA-compliant. While both programs are HIPAA-capable, “capable” and “compliant” are hardly the same. And though both companies encrypt data stored at rest and during the last leg of transit, only Microsoft is willing to sign a Business Associate Agreement (BAA).
This key agreement defines the difference between compliance and capable. Google has so far not been willing to come forward and sign a BAA, effectively removing them from the liability chain. Using Office 365 with Microsoft Exchange Hosted Encryption offers end-to-end encryption and ensures that providers stay HIPAA-compliant.
Myth #3: Antivirus Programs Can Protect Any Version of Windows
Windows XP and Windows Server 2003 are going out of service. Microsoft has been announcing this for years, but these two versions of Windows are still commonly used in healthcare settings. Support will end in July 2015, and once it does, so does any HIPAA compliance. An antivirus program may sound good on paper, but it may not sound so good in court.
To prepare for these operating systems’ end-of-life, plan to upgrade systems piecemeal. Isolated networks that run on XP or Server 2003 need to be upgraded for the same reason mentioned above: obfuscation does not mean security, and it could be risky in court.
Finally, chances are that any upgrade will include new machines. These machines should all be Original Equipment Manufacturer, as opposed to custom-built or inexpensive copies. Warranty-backed systems are safer, more stable, and of higher quality. The sooner you upgrade, the more money you save, since prices will certainly rise as the deadline approaches.
Myth #4: Physical Security is as Good as Encryption
A locked office with a camera system may prevent robbery or physical intrusion, but what happens if a successful breach occurs? One recent physical incursion caused the loss of 4 million patient records, and there was no encryption in place. These systems could have easily been encrypted for free.
To safeguard data, use a free program like BitLocker, encrypt backups, and centralize safe data with remote desktop software. Keeping secure data off individual workstations – and enforcing this policy across the workplace – saves money, reinforces legal defensibility, and reduces potential leaks.
Myth #5: HIPAA-Compliant IT Covers All the Bases
Full HIPAA-compliance, of course, means a full set of protocols, procedures, and processes, in addition to secure IT systems. Secure systems training needs to accompany basic security protocols, such as strong password guidelines, locked computer equipment, and two-factor authentication.
Covered entities need to be very cautious and concerned about such peripheral security measures. Legal HIPAA-compliance requires a full spectrum of safeguards, from the post-it to the data center.
Misconceptions about HIPAA’s new regulations abound, and the new rules now extend coverage to include IT service providers. With such an expanded and complex liability chain, and a constantly changing landscape, learning the ropes can be a challenge. Both medical providers and providers of IT support in San Diego should work together to ensure that they are fully compliant.
Myth #1: Obscurity Means Security
many healthcare providers carry the misconception that obscuring or obfuscating a network ensures information security. Common techniques, such as masking a home router’s SSID or segregating a portion of a network, only offer the illusion of security. While the first method has proven to be obsolete and easily penetrable, the second method still leaves many vulnerabilities through flash drives or other external devices.
Slowing down necessary antivirus patches and software updates can actually make such segregated networks more vulnerable. Despite these glaring flaws, healthcare professionals continue to utilize this method to “secure” Patient Health Information (PHI).
Myth #2: Both Google and Microsoft Email Programs Are HIPAA-Compliant
Office 365 and Google Apps are the most common email applications in the corporate world, but only Microsoft should actually be considered HIPAA-compliant. While both programs are HIPAA-capable, “capable” and “compliant” are hardly the same. And though both companies encrypt data stored at rest and during the last leg of transit, only Microsoft is willing to sign a Business Associate Agreement (BAA).
This key agreement defines the difference between compliance and capable. Google has so far not been willing to come forward and sign a BAA, effectively removing them from the liability chain. Using Office 365 with Microsoft Exchange Hosted Encryption offers end-to-end encryption and ensures that providers stay HIPAA-compliant.
Myth #3: Antivirus Programs Can Protect Any Version of Windows
Windows XP and Windows Server 2003 are going out of service. Microsoft has been announcing this for years, but these two versions of Windows are still commonly used in healthcare settings. Support will end in July 2015, and once it does, so does any HIPAA compliance. An antivirus program may sound good on paper, but it may not sound so good in court.
To prepare for these operating systems’ end-of-life, plan to upgrade systems piecemeal. Isolated networks that run on XP or Server 2003 need to be upgraded for the same reason mentioned above: obfuscation does not mean security, and it could be risky in court.
Finally, chances are that any upgrade will include new machines. These machines should all be Original Equipment Manufacturer, as opposed to custom-built or inexpensive copies. Warranty-backed systems are safer, more stable, and of higher quality. The sooner you upgrade, the more money you save, since prices will certainly rise as the deadline approaches.
Myth #4: Physical Security is as Good as Encryption
A locked office with a camera system may prevent robbery or physical intrusion, but what happens if a successful breach occurs? One recent physical incursion caused the loss of 4 million patient records, and there was no encryption in place. These systems could have easily been encrypted for free.
To safeguard data, use a free program like BitLocker, encrypt backups, and centralize safe data with remote desktop software. Keeping secure data off individual workstations – and enforcing this policy across the workplace – saves money, reinforces legal defensibility, and reduces potential leaks.
Myth #5: HIPAA-Compliant IT Covers All the Bases
Full HIPAA-compliance, of course, means a full set of protocols, procedures, and processes, in addition to secure IT systems. Secure systems training needs to accompany basic security protocols, such as strong password guidelines, locked computer equipment, and two-factor authentication.
Covered entities need to be very cautious and concerned about such peripheral security measures. Legal HIPAA-compliance requires a full spectrum of safeguards, from the post-it to the data center.
Misconceptions about HIPAA’s new regulations abound, and the new rules now extend coverage to include IT service providers. With such an expanded and complex liability chain, and a constantly changing landscape, learning the ropes can be a challenge. Both medical providers and providers of IT support in San Diego should work together to ensure that they are fully compliant.