As an MSP in the modern market you’ve likely heard the acronym “HIPAA” thrown about. If any of your customers are healthcare providers, clearinghouses, or businesses that deal with electronic protected health information (ePHI) then you have almost certainly heard of HIPAA compliance.
HIPAA, or the Health Insurance Portability and Accountability Act, is a set of regulations in the United States which apply to all people who have access to the data and or networks which contain ePHI. If you only manage a network for a client who handles ePHI, and even if you never access the information, you will still count as a “business associate” under the act, are legally required to be compliant with the act, and can be held liable in the event of a data breach.
This means that if you do, or intend to, support clients in the field of healthcare, then you need to be HIPAA compliant. Even though HIPAA is a piece of U.S. legislation, many countries have similar pieces of legislation with similar requirements.
This leaves us with a key question: What does HIPAA compliance require when it comes to IT security, identity, and access management?
Fortunately, I’ve boiled the answers to this question down into a list of simple yes or no questions you can ask your client. If the answer is no, consider that a bad sign.
Security Policies and Procedures
Policies must be established to handle and manage all security violations. You can ask your clients questions like:
- Are your employees aware of the penalties that will ensue from security violations?
- Are internal penalties in place for employees who violate security procedures?
- Do all your users know what to do in the event of security incidents or issues?
- Is there a process in place to document, track, and address security issues or incidents?
- Is there someone tasked with checking all security logs, reports, and records?
- Do you have a security official in charge of a password and smart security policy?
- Have you ever undertaken a risk analysis?
Access to ePHI must be restricted to those who have permission to access it. You can ask your clients questions like:
- Do you have measures in place to authorize or supervise access to ePHI?
- Are there processes for determining the validity of access to ePHI?
- In the event of employee termination, is their access to ePHI blocked?
Security Awareness Training
HIPAA requires that a security awareness training program must be established for all staff. You can ask your clients questions like:
- Are employees regularly reminded about security concerns?
- Do you hold meetings about the importance of password, software, and IT security?
- Are your employees aware of the process surrounding malicious software?
- Do you have procedures for regular review of login attempts?
- Do those procedures check for any discrepancies or issues?
- Have you established procedures to monitor, manage, and protect passwords?
The Worst Case Scenario
There should be a plan in place for the protection and use of ePHI in the event of an emergency or disaster. You should ask your clients questions like:
- Are there tested and revised plans in place for an emergency?
- Have the applications and data needed for these emergency plans been analyzed?
- In the event of a disaster (I.T.E.O.A.D.), can copies of ePHI be made or retrieved?
- I.T.E.O.A.D… Can all ePHI be restored or recovered?>
- I.T.E.O.A.D… Will your ePHI be protected?
- I.T.E.O.A.D… Can critical ePHI related business functions be completed?
Contracts for Business Associate
Business associate contracts are critical for both ITSPs and MSPs involved who work in the healthcare setting. While not signing an agreement can provide a slight amount of protection from being liable under the law, detailing and signing off on your agreed-upon duties and liabilities can provide significantly more protection in the event of an investigation, audit, or breach. Documentation is key when it comes to protecting yourself.
Technological and Physical Protection
Procedures that limit physical access to facilities and equipment that house ePHI data need to be in place. Additionally, it is just as critical that procedures must ensure all ePHI is only accessible to employees who have permission to do so.
As someone working from an it position, it is your responsibility to ensure that access to applications and data containing ePHI is limited only to authorized users. This is where authentication becomes critical.
One method you can discuss with your client is known as multi-factor authentication (MFA). With MFA, users log in with a password as well as an additional security factor like a fingerprint scan or one-time use code from a secure mobile app. MFAs advanced level of security also allows businesses to explore other productivity and security solutions like single sign-on (SSO), which allows for a single credential to provide access to others. For many businesses which are required to comply with HIPAA regulations, multi-factor authentication and single sign-on are both convenient and practical solutions to many of their compliancy woes.
Author: Harrison Depner