HIPAA Tips from the Trenches
Earlier this week, I moderated a panel discussion at an event hosted by the New York chapter of the Health Information and Management Systems Society (HIMSS). The panel was comprised of private sector health information technology and security experts and was tasked with discussing challenges related to the interoperability and security of health information systems. I started off by asking the panelists how these challenges have evolved over the years, anticipating that the conversation would soon turn to the challenges faced by newer technologies such as cloud computing and artificial intelligence. But it was the panelists' opinion that many in the health care space continue to struggle with the basics, including basic HIPAA compliance.
Two of the panelists referenced specific resources that I believe would be helpful to our readers.
The first resource arose in the context of risk assessments. The panelists all described the importance of conducting HIPAA risk assessments, with one pointing out that nearly all of OCR's disciplinary actions reference a failure to conduct an adequate risk assessment. The panelist recommended the National Institute of Standards and Technology's Guide for Conducting Risk Assessments as the foundation for any risk assessments. Readers would be well served by referencing it when they conduct or update their own risk assessments.
The second resource was mentioned in response to an audience member's question about the basic steps that health care entities can take in order to shore up their security. A panelist pointed to the Center for Internet Security's "CIS Top 20." The CIS Top 20 is a list of 20 security actions that should be prioritized in order to secure your organization's systems. The list was revised earlier this year, so readers can be sure that it covers the latest threat vectors and vulnerabilities.
We will continue to provide links and discussion about resources that can help your organization reduce the likelihood of security incidents.