Cybersecurity: Strengthen your program

Q. How do I turn outdated HIPAA policies into a practical, living compliance program that actually protects patient data? 

A. Effective compliance programs are more than having policy and process manuals that employees review, attest to and then follow. In today’s environment, relying only on that may be insufficient protection against a breach. The Notice of Proposed Rulemaking to modify HIPAA, issued on Dec. 27, 2024, was aimed at shoring up aspects that were loosely written at a time when cyberthreats faced in health care were far less severe. Here are steps you can take to strengthen your program.  

Build an incident response plan: Experts say it is not a matter of if but when an organization will suffer a cyberattack. Being prepared is critical. An incident response plan lays out what to do, who to contact and how to move forward in a clear step-by-step manner to preserve forensic evidence, mitigate the breach and minimize the impact.  

Regular employee cyber awareness training: The majority of compromises involve human error. Unfortunately, there’s no malware protection to install on people. Cyber awareness training is designed to minimize risks of these mistakes. There are many online tools that do a fantastic job of this, and some double as a place to conduct your policy management and employee attestation.  

Robust cybersecurity stack on computers and network: Moving EMRs/EHRs to the cloud does not eliminate the risks to patient data. Antivirus, patching, firewalls, spam filtering are just some of the tools that need to be employed to protect your systems. These systems must be monitored to ensure they are working as designed.  

Continuously collect evidence: Regularly collect and store evidence from every aspect of the program. Insurance providers and authorities look to this evidence to determine fines, penalties and even whether lawsuits (even for fraud) may be brought. 

Jason Kirkhart is CEO at beetoobi. FMI: www.beetoobi.com.