Are You Really HIPAA/HITECH Compliant?

With all the new electronic devices in your office, can you truly say that you are HIPAA/HITECH compliant? Will your security features and controls actually prevent the breach of personal health information?

As a physician, you are probably still learning the ins and outs of your electronic health records while trying to keep your billings at a sustainable level and struggling to meet the meaningful use requirements for your incentive funds. However, with all the new electronic devices in your office, can you truly say that you are HIPAA/HITECH compliant?

Will your security features and controls actually prevent the breach of personal health information, or are your patients unknowingly at risk of identity theft?

Vulnerability assessments

This assessment uses automated tools to examine your network system and can provide the evaluation of your network weaknesses, as well as suggested procedures to mitigate or eliminate these weaknesses, and bring them to an acceptable risk level. A few examples might be that you have out-of-date anti-virus software, the presence of network hacking tools or that an application has an upgrade or service pack that improves security. It can also include design flaws, configuration errors and software bugs.

At least two scans of your entire system are required during a vulnerability assessment. The first inventories your network assets and resources and identifies known risks, providing a baseline evaluation for determining appropriate safeguards. The vulnerabilities are then addressed in a report that is intended to rank existing vulnerabilities by severity, and provide information on how to correct each vulnerability. This allows the practice to create a remediation plan, and complete corrective actions efficiently.

Once corrections are made, a second scan is performed to provide verification that remedial actions were successful. It is suggested that subsequent scans be done periodically (at least annually) to illustrate trends and identify any new threats. Vulnerability assessments identify the exposure to risks and provide suggestions for mitigation of the risks identified, but do not test the network or its resistance to hackers.

Penetration testing

A second test of your network provides validation of the security risks and is known as penetration testing. Best practices and procedures in federal government and IT industry guidelines suggest that penetration testing be done on a regular basis.

Penetration testing should be performed at least annually or whenever significant hardware or software application changes are made. The goal of penetration testing is to breach the security of your network and gain access to sensitive data in a controlled, safe environment. A “controlled hacking” of your system will occur under a predetermined scope so as to not interrupt normal operations. This is an aggressive measure for simulating an attack on your system and identifying the entry points.

It is of utmost importance that the third party providing the test knows how to limit the scope of the test to identify weaknesses while avoiding system damage, data loss, disclosure of protected health information or business interruption.

The report should identify the level to which an unauthorized user can access the network or data, and the damage that could be incurred due to this exploitation. The information will allow you to select and refine effective security controls and take steps to deny entry into your infrastructure.

Efforts to safeguard

With your internal and external networks, wireless and remote access, personal and office mobile devices, websites, social media, changes in operating systems and database applications, etc., your office is subjected to an incredible number of new threats each day.

Medical devices and even your car can be hacked these days, and hackers continue to become more sophisticated in their methods. The threat of substantial penalties from the enforcement of HIPAA regulations is forcing practices to take notice and reassess the security of their patient information.

Vulnerability assessment and penetration testing can assist in the identification and closure of the security holes in your system, and provide documentation of the efforts to safeguard protected health information should you be subjected to an audit.

Beverly A. Miller, CPA, CAPPM is Manager of Physician Services at Hayflich Grigoraci PLLC in Huntington, WV and Past President of the National Association of CPA Healthcare Advisors (HCAA). She has been heavily involved in practice startups, as well as aiding existing practices with billing issues, accounting issues, staff modeling and selection, project analysis, contracting, financial management, compliance issues, technology issues, and tax planning. Beverly can be reached at (304) 697-5700.

Hayflich Grigoraci PLLC is also a proud member of the National CPA Health Care Advisors Association (HCAA). HCAA is a nationwide network of CPA firms devoted to serving the health care industry. Members provide proactive solutions to the accounting needs of physicians and physician groups. For more information contact the HCAA at info@hcaa.com or visit www.hcaa.com.