HIPPA IT Challenges
Some of the HIPAA Challenges for an organization include:
- Assuring that patient’s receive their own medical records in a timely manner
- Attaining a level of security provided by and maintained by Information technology (IT)
- Balancing education of staff with enforcement
Examples include: (National Association of Independent Review Organizations, 2018)
- Missing patches for operating systems and applications. Without the latest security updates to both an operating system and application software, the organization is placing itself at unnecessary risk.
- Failure to monitor and detect sensitive data loss (data exfiltration). This process should be automated. An organization should be the first one to know if they have a breach.
- Weak passwords. Select strong passwords. For example use lower case and upper case letters, numbers and symbols. Another option uses “multifactor authentication” requirements to log in.
- Lack of logs and audit trails than can conduct forensics to identify and respond to a breach. Similar to an organization’s failure to monitor a data breach, a lack of “threat intelligence” can doom an organization.
- Some applications have deficiencies in coding, which can lead to a breach. The instructional IT expert should be expect to double check the security of a given application.
- Lack of security validation for new systems. Security compliance should validate that systems are configured securely. In addition the electronic health record (EHR) system need to be assessed via a thorough round of vulnerability and penetration testing.
- Missing or outdated anti-malware technology. For the best outcomes, anti-malware updates should be automatic and centralized and not up to individuals to update their own computers.
- No encryption of sensitive information in transit. Email and files should be encrypted for greater security.
- Lack of trained staff to maintain security controls. While many organizations face a budget crunch when it comes to employing full-time IT staff, there are ways to maximize resources, including free training.
- Outdated disaster recovery plans. A disaster recovery plan should be consistently updated to avoid missteps when a breach does occur.