HIPAA Security for Small Offices Micheal Goodwin January 8, 2018

HIPAA Security for Small Offices


Staying compliant with HIPAA, the Health Insurance Portability and Accountability Act, is hard work for any healthcare office. This is even tougher for small healthcare providers because they have fewer resources to spend on healthcare compliance.

Despite the challenges, small healthcare offices must comply with HIPAA just like their bigger cousins or they may be subject to large fines. With some healthcare professionals needing to take the “do-it-yourself” approach to healthcare security, the results can be almost as bad as letting an IT professional take a “do-it-yourself” approach to medicine.

Here are some tips for small healthcare provider offices to help maintain HIPAA security:

Basic Precautions for HIPAA Security

The first step in HIPAA security is knowing what not to do. PHI must be secured during transit, while at rest in vulnerable environments, and handled with care even by contractors and service providers.

Sending PHI by an unsecured data channel puts it at risk since email and text messages can be intercepted without much difficulty. To be safe, use only channels that have end-to-end encryption. Secure websites that require passwords fall into the safe category when they are designed properly or tested for HIPAA compliance.  Some good examples of this are Citrix ShareFile and Microsoft Office 365 email encryption.

Storing PII without adequate security is an even bigger risk because a breach can expose patient information on a large scale. While most providers think of data breaches as hackers getting into your office, the devices that leave your practice or more likely to compromise your patient data.  Allowing laptops and phones that access ePHI to leave the office without encrypting those devices first it is an invitation to disaster. Some of the biggest HIPAA security breaches on record have resulted from lost or stolen mobile devices.  One example is the $2.5 million fine of CardioNet resulting from a stolen laptop from a parked vehicle.

Contractors and service providers that handle PHI need to be HIPAA-compliant as well. A Business Associate Agreement should be signed by your vendors and maintained by your practice which outlines the precautions and responsibilities of your associates.  As a part of the Final Guidance for Risk Analysis outlined by HHS, business associates must demonstrate the same level of security, policy and procedure, and attention to their security and business practices as the healthcare practices they support.

Use Secure Data Management

All Internet activities are now at risk of being hit with hacking and exploitation of cybersecurity vulnerabilities. With patient data existing on Internet-connected systems, those systems need to have extra attention focused on them to ensure they are safe places for data to be stored.  This applies to cloud-based patient management systems, on-premise servers, electronic documents, and the devices they reside upon.  These systems need to be properly inventoried, monitored for improper use, and updated several times a month to ensure security vulnerabilities are patched.

Consider consulting an IT managed service provider to create a security management plan to protect your patient data and computer devices. The provider will be able recommend security software, encryption solutions, system configuration best practices, and an update plan to keep devices updated.

Remember that cybersecurity is built in layers. Firewalls, spam protection, data encryption, software updates, and security monitoring are all parts of a comprehensive system that won’t break because of any single mistake. Criminals are always looking for new ways to breach system security, and defenses have to be dynamic to stay ahead of them.

Establish Good Security Practices

Employees need to be aware of security risks. They have to develop habits to avoid phishing scams that expose information to unauthorized parties

Email and websites are a major source of risks. If employees open email attachments or click links sent to them by strangers or breached colleagues, they might bring malware into your computer environment. Breaches such as these can silently send out patient information without it being noticed until it is too late. Under HIPAA rules, if your systems have been breached, you have to report it as a security incident even if you don’t know that anyone has received the confidential information.

Setup strong password policies rather than convenient ones.  Weak passwords are like unlocked doors. Software is readily available on the Internet to guess simple or stagnant passwords.  This is called the “brute force” method of password cracking and even in 2018 it is extremely effective against simple passwords and phrases.  Individuals with access to confidential data and patient information need to learn to use strong passwords and passphrases. Their passwords should be at least ten characters long, not consist of a recognizable word or obvious sequence, and contain special characters and numbers.

HHS has provided a guide to 10 Best Practices for the Small Healthcare Environment. Keep a copy of this great guide on hand and make sure that everyone who handles patient data has read and follows these practices.  Reviewing these practices at employee meetings is a good way to demonstrate compliance with the “Security Awareness” guidelines of the SRA.

Make Security a Habit

Aside from specific practices, providers need a security-oriented mindset. Healthcare offices should always be thinking about whether they might be putting confidential information at risk. While it is tempting to take shortcuts or to label security measures as “not appropriate for a practice our size”, keeping patient information safe is a responsibility for everyone working in the healthcare industry.

Server At Work Can Help Your Office

It’s not an easy job for smaller healthcare providers to manage and enforce effective HIPAA security measures.  Like IT providers need to see the doctor when we get the flu or need an annual physical, healthcare providers can rely upon IT managed service providers such as Server@Work to offer effective security practices and management of systems containing PII.  Server@Work specializes in healthcare industry security including encryption services, disaster recovery, managed security, and providing Security Risk Assessments and SRA GAP analysis.

For a FREE evaluation of your HIPAA security program and SRA consulting contact us today!