HIPPA IT Challenges

Last updated: November 4, 2020

Some of the HIPAA Challenges for an organization include:

  •    Assuring that patient’s receive their own medical records in a timely manner
  •    Attaining a level of security provided by and maintained by Information technology (IT)
  •    Balancing education of staff with enforcement

Examples include: (National Association of Independent Review Organizations, 2018)

  1.    Missing patches for operating systems and applications. Without the latest security updates to both an operating system and application software, the organization is placing itself at unnecessary risk.
  2.    Failure to monitor and detect sensitive data loss (data exfiltration). This process should be automated. An organization should be the first one to know if they have a breach.
  3.    Weak passwords. Select strong passwords. For example use lower case and upper case letters, numbers and symbols. Another option uses “multifactor authentication” requirements to log in.
  4.    Lack of logs and audit trails than can conduct forensics to identify and respond to a breach. Similar to an organization’s failure to monitor a data breach, a lack of “threat intelligence” can doom an organization.
  5.    Some applications have deficiencies in coding, which can lead to a breach. The instructional IT expert should be expect to double check the security of a given application.
  6.    Lack of security validation for new systems. Security compliance should validate that systems are configured securely. In addition the electronic health record (EHR) system need to be assessed via a thorough round of vulnerability and penetration testing.
  7.    Missing or outdated anti-malware technology.  For the best outcomes, anti-malware updates should be automatic and centralized and not up to individuals to update their own computers.
  8.    No encryption of sensitive information in transit. Email and files should be encrypted for greater security.
  9.    Lack of trained staff to maintain security controls. While many organizations face a budget crunch when it comes to employing full-time IT staff, there are ways to maximize resources, including free training.
  10.    Outdated disaster recovery plans.  A disaster recovery plan should be consistently updated to avoid missteps when a breach does occur.

(HHS, 2018).