At HIPAA Secure Now, we know that performing regular Security Risk Assessments (SRAs) is a critical part of building a robust HIPAA compliance program and protecting your patients’ protected health information. Based on our years of experience conducting SRAs, we want to highlight 5 vital recommendations that frequently arise and discuss why properly addressing them is so important for covered entities. For more SRA tips and tricks, you can check out our full November 2023 webinar, Understanding Your SRA.
1. Training and Simulated Phishing
While annual HIPAA training is mandatory, our SRAs often reveal opportunities to implement more robust and specialized security modules to fill knowledge gaps. Simulated phishing exercises dynamically test how vulnerable employees are to real-world attacks aimed at capturing patient data or distributing malware. This modern, hands-on approach to training is the frontline defense that anchors all other technical safeguards. HIPAA training cannot be a static, once-a-year checkbox – it requires continuous reinforcement through engaging simulations that build workforce resilience against emerging cyberthreats.
Encryption transforms patient data into coded form that is only decipherable with specialized cryptographic keys, ensuring security. Robust encryption safeguards could prevent breaches of files or systems from necessitating HIPAA incident reporting if the protected health information remains securely encrypted. We find many clients have misconceptions around encryption requirements, so it’s important to clarify best practices like encrypting endpoint devices and avoiding over-reliance on cloud service encryption. Patient data saved locally, whether intentional or accidental, remains vulnerable without local encryption solutions like VeraCrypt for Windows or FileVault for Mac. Implementing endpoint encryption is a relatively easy, cost-effective way to significantly expand your safeguards.
3. Audit Log Review
One required SRA recommendation is formally documenting your audit log review process for systems containing protected health information. Details should include which systems are reviewed, the frequency (aim for at least monthly), and documentation of both actions taken and instances where no action was required. Regular, thorough audits strengthen security and aid in quickly detecting and responding to incidents. We find many clients struggle with optimizing this process.
Best practices for audits include increasing frequency wherever feasible and focusing reviews on identifying anomalies or red flags outside normal activity patterns. For example, if your business is open from 9 am- 5 pm regularly, confirm that EMR access logs correspond to these regular business hours. If you started to notice frequent logins at 2 am, this could be a red flag indicating an internal or external threat. With the average breach going undetected for 329 days, thorough logging and auditing could lead to a quicker response time and minimized damage from unauthorized access.
4. Business Associate Agreements & Oversight
If third-party vendors have any interaction with your patient data, HIPAA mandates that they sign BAAs and take privacy and security seriously. We recommend taking the extra step to verify their HIPAA compliance program, including confirming they provide HIPAA training. Our portal has a complete list of questions for you to both ask your business associates and document this due diligence.
5. Password Controls
Older password recommendations still found in some policies, like mandated periodic resetting, have been superseded and can actually undermine security. Make sure your controls follow modern guidance focused on increased length and complexity over frequent rotation. Passphrases, such as P!nkeleph@ntdr1nksCheeri0s, are encouraged due to their memorability.
Strengthening these vital areas by properly addressing SRA findings goes a long way to building comprehensive HIPAA compliance programs. Reach out to our experts if you need assistance with your SRA or implementing recommended safeguards.