A thorough and robust security maintenance plan is absolutely necessary in order to meet HIPAA requirements and regulations. Certainly, there’s a lot of information available on best practices to meet HIPAA compliance. Most of the healthcare organizations I talk to have security initiatives in place and are well versed in HIPAA requirements.
But here’s a sobering fact: according to the Security Engineering Team Quarterly Threat Report for Q2 2016 from NTTSecurity (formerly Solutionary), 88% of all ransomware attacks in 2016 targeted healthcare organizations. That’s kind of a staggering number, isn’t it? Please click responsibly.
So, what makes a good security plan? The first step is to write it down—a written plan is an actual HIPAA requirement. But you need to go beyond putting a series of controls in place and develop a strategy to manage change. All environments evolve, and keeping up with these changes, especially with more mobile and wearable devices coming into use, affects your supporting security documentation.
Another key step is to make sure you properly train your staff on how to protect patient data. Firewalls, passwords, and other safeguards are not sufficient if your users don’t follow security protocols.
Finally, you need the right monitoring and alerting in place in order to be notified of breaches as soon as possible. It’s a sad truth that we can’t say “if a breach occurs,” but must say “when.” The best course of action is to set up notifications and have a mitigation plan ready. This includes creating an incident response plan and understanding your local breach notification laws.
To learn more about best practices for protecting your sensitive data, take a look at the white paper Searching for Security: The Importance of Planning and Maintenance for Long-term HIPAA Compliance.