9. Cybersecurity Controls
and Insurance
Cybersecurity is security applied to computers, computer networks, and the data
stored and transmitted over them. Recent
cyber attacks have made the headlines due
to the large number of individuals involved
in the breaches, most in the millions.
Vendors who market intrusion detection
solutions are striving for advanced algorithms that better detect potential hacks.
It is extremely important for CEs and BAs
to know all potential locations that could
be vulnerable to a cyber attack, and determine the risk mitigation plan. The authors
recommend that CEs and BAs outsource
their Cybersecurity RA and RM to expert
consulting companies who are up-to-date
on the latest intrusion detection technology. CEs and BAs should also refer to the
National Institute for Standards in Technology (NIST) for reference information.
Finally, CEs and BAs should consider adding cybersecurity insurance for additional
protection due to the potentially large costs
of breaches, especially the typically large
breaches caused by a cyber hack.
10. Comprehensive Training
Workforce training should be compre-
hensive since one of the biggest risks of
unauthorized access and / or use of your
organization’s PHI is internal, namely the
workforce. There have been a number of
incidents due to accidental or intentional
violations. In order to show due diligence
and to be able to apply sanctions to viola-
tions, your workforce must understand
your policies and procedures. Training
normally begins during orientation for
new workforce members. In addition,
there should be periodic mandated train-
ing and manual or electronic testing to
determine competency. Low competency
results should be remediated immediately
via focused training. The authors believe
that the most effective training is in the
form of reminders. One very impressive
way to deliver the reminders is via work-
station screensavers. They can be set up
to continually scroll information privacy
and security reminders. Not only is it the
best way to deliver the reminders, but it is
also very impressive when an auditor sees
the scrolling messages on every worksta-
tion. This is a simple solution with a major
positive impact.
CONCLUSION
Remember, full HIPAA compliance does not
necessarily mean NO security incidents or
breaches. Your HIPAA compliance needs
to be both broad and deep! Remember, you
need to have constant compliance that is
backed up by yearly training, a yearly RA,
and a yearly HIPAA compliance audit. Plus,
your RA must include the new technologies
that you introduce to your organization … if
you are you thinking about virtualization
or hyperconvergance make sure they are on
your tick list for your next RA! JHIM
Gerry Blass is the President
and CEO of ComplyAssistant.
Gerry has over 35 years of
experience in healthcare IT
and compliance.
Gerry provides IT and
compliance consulting
services and software
To learn more visit www.complyassistant.com.
Susan A Miller, JD, has 40
years of professional
leadership experience
spanning college teaching,
biochemistry research and
law. Since 2002, Susan has
provided independent
consulting and legal
services to numerous healthcare entities including
NIST, CMS and OCR. She is the author and content
manager of the NIST HIPAA Security Toolkit. She has
co-authored two OCR audit protocol prep-books,
HIPAA Security Audit Prep Book, and HIPAA Breach &
Privacy Audit Prep Book You may reach her at
TMSAM@aol.com.
They are published at http://www.malverngroup.
com/ New_Publications.html.
Blass and Miller are co-founders of HIPAA 411,
a LinkedIn group.
HIMSS BOARD OF DIRECTORS
CHAIR
Dana Alexander RN, MSN, MBA, FAAN, FHIMSS
VP, Clinical Transformation
Divurgent
VICE CHAIR
Fred D. Rachman, MD, FHIMSS
Chief Executive Officer
Alliance of Chicago Community Health Services, L3C
CHAIR ELECT
Michael H. Zaroukian, MD, PhD, MACP, FHIMSS
Chief Medical Information Officer
Sparrow Health System
VICE CHAIR ELECT
Elizabeth (Beth) Casey Halley, RN, MBA, FHIMSS
Principal Advisor
The MITRE Corporation
BOARD MEMBERS
Beverly Bell, RN, BS, MHA, CPHIMS, FHIMSS
VP Clinical Implementation and Consulting
Cerner
Diane M. Carr, MA, FHIMSS
Deputy Executive Director
North Bronx Healthcare Network
Jacobi Medical Center
Patricia L. Hale MD, PhD, FACP, FHIMSS
Associate Medical Director for Informatics
Albany Medical Center
Denise Hines, DHA, PMP, FHIMSS
CEO
eHealth Services Group
John Kansky, MSE, MBA, CPHIMS, FHIMSS
Executive Director
Indiana Health Information Exchange
Michael Nusbaum, BASc, MHSA, FHIMSS
President
M.H. Nusbaum & Associates Ltd.
James B. Peake, MD
Senior Vice President
CGI Federal
Christopher Ross
CIO
Mayo Clinic
Rick Schooler, FACHE, LFCHIME, CHCIO, MBA, FHIMSS
Vice President & CIO
Orlando Health
Ferdinand Velasco, MD, FHIMSS
Senior Vice President, Chief Health Information Officer
Texas Health Resources
HIMSS Foundation Governance Council
ADVISORY BOARD MEMBER
Holt Anderson
Principal
Learning Health Strategies