As 2020 is underway, let’s discuss a few things you can do to prioritize HIPAA so you can experience a relatively worry-free year when it comes to compliance and breaches.
We have seen a pattern of organizations that put off completing their Security Risk Analysis (SRA) until the end of the year. Completing an annual SRA seems to have a December 31 driver for completion primarily driven by MIPS and other incentive programs.
Because many procrastinate until the last minute, there is little time left for remediation. Unfortunately, this causes stress and undue exposure for your organization. So let’s discuss a few things you can do to alleviate end-of-year anxiety and ensure your organization is taking preventative measures year-round to avoid a security incident.
Review your 2019 remediation and action plan
It is important to review your previous year’s SRA to identify what risks still need to be addressed. Once you’ve identified those risks, prioritize them – high, medium and low risk. Starting with the high-risk items, set goals and action items, and then assign dates to each task. This will provide a roadmap for what you should be working on the first few months of the year.
You may be wondering how to assign a risk level to an item. At HIPAA One, we run risks through a Threat Matrix of “Likelihood x Impact = Risk.” With our systems, each item is automatically assigned a risk and prioritized for you, allowing you to begin remediation immediately.
It is important to note that all the items don’t need to be remediated tomorrow. Set realistic goals and timelines for mitigating each risk. The important thing is that you are working on removing the risk, therefore removing the vulnerability and possibility of a breach.
Begin your SRA at the beginning of the year
Start your SRA at the beginning of the year. This might be a new concept for many, but by doing this, you can identify early on what vulnerabilities exist and work on the remediation items throughout the year.
The vulnerabilities identified are gaps in security. If your home was missing a lock on your front door you wouldn’t wait months to get it fixed. It is the same with the security vulnerabilities identified in your annual SRA. Start working on remediating those items at the beginning of the year, so you are not left vulnerable for an extended period.
Review Policies and Procedures
If I were to ask where your policies and procedures are, would you be able to tell me? Are they quickly accessible and up-to-date or are they sitting on a shelf or in a file collecting dust? With state and federal regulatory requirements constantly changing, it is important to review and update your policy and procedure library often.
With each change to personnel, software and more, those updates should be reflected in your documents. Your policy and procedures should be “living” documents that are changed at the very least, once a year. Keeping those documents up-to-date is not only required for HIPAA, it will also help guide in the case of a security incident.
Train new and existing employees as they join the team
We find most breach-related incidents could have been avoided with effective training. An organization’s greatest asset is their employees. Unfortunately, they are also their biggest risk. With regular training and testing, good habits can be reinforced and strengthened. Annual compliance training is a great opportunity to update your staff on the latest methods hackers are using. And it’s important to regularly test your employees to ensure they continue to follow best practices and avoid becoming the next breach.
Experiencing a breach is a painful experience. It not only impacts an organization’s productivity and reputation; it is a huge financial burden. It takes a significant amount of time, money and resources to properly investigate the size and scope of a breach. In fact, many organizations hire an investigative service to help them find and address the issues discovered. A breach has a substantial impact on an organization’s bottom line. Many organizations that experience a breach end up closing their practice due to the financial burden.
Along with training your employees, it’s also important to implement tools that add an additional layer of security. For example, if you are using Microsoft Office 365, there are simple things you can things you can turn on to further secure your organization. Implementing multi-factor authentication and security passphrases is another way to use tools to secure your environment.
Achieving Success in 2020
We recognize that HIPAA compliance seems like one more thing on your to-do list that you would rather put off. However, changing your perspective to see HIPAA as a step to achieving success can help bring value to your organization. By completing an annual SRA, many organizations have seen significant benefits. Not only will it help you pass your audit, it instills a culture of compliance.
With a culture of compliance, employees are happier and more motivated to put their best selves into their work. As employee satisfaction increases, so does patient loyalty, which can result in higher patient retention and acquisition.
HIPAA compliance, when done using tools that simplify and automate the process, can have a significant impact on the successes of your organization and profitability. Following the steps outlined above can help you successfully navigate the complexities of HIPAA to achieve success 2020.