The American Health Information Management Association (AHIMA) recently provided guidelines for creating a robust cybersecurity plan.

The cybersecurity plan is a 17-step process, according to AHIMA.  However, the last step provided in the document is redundant, so we did not include it below. Also, please note that several of the steps are required practices for HIPAA compliance.

  1. Conduct a risk assessment of all applications and systems. This is a requirement for HIPAA compliance, so you should already have completed this. If you have not performed a risk assessment before, or need to start a new one, you can use the HIPAAgps system to complete a thorough assessment.
  2. Remember that record retention is a cybersecurity issue. Health care organizations should follow their record retention policies and not maintain records longer than they’ve been deemed necessary to keep. Maintaining extra records that should be destroyed can create an issue when trying to protect additional information for a longer amount of time.  It’s an extra amount of effort involved that can be eliminated by simply destroying records in a timely manner.
  3. Covered entities and business associates should patch vulnerable systems. Operating systems and software will often receive updates to help protect them.  Organizations should implement updates as soon as possible.
  4. Use advanced security endpoint solutions that include device and user ID behavior monitoring, AHIMA suggests.
  5. Encrypt workstations, laptops, smartphones, tablets, and any portable media. This is another HIPAA requirement; one that should already be implemented.
  6. Improve identity and access management. This includes using stronger passwords, implementing two-factor authentication, and restricting concurrent log-ins.  Additionally, organizations can implement time-of-day restrictions that would allow employees to use workstations during certain times of the day.
  7. Modify current web filtering to block more nefarious traffic. This might include blocking traffic from countries that your organization doesn’t do business with and blocking email traffic from newly created domains.
  8. Implement policies and procedures that regulate mobile devices. This is another requirement for HIPAA compliance, as are the next two steps in the process.
  9. Develop incident response procedures. This includes outlining possible scenarios and educating employees on what to do during an incident.
  10. Monitor auditing logs. AHIMA recommends outsourcing this task to a Managed Security Service Provider (MSSP) who can specifically help with monitoring logs.
  11. AHIMA encourages covered entities and business associates to use existing tools such as Intrusion Prevention Systems/ Intrusion Detection Systems (IPS/IDS) to detect unauthorized access. This might be another area you will want to outsource.
  12. Evaluate business associates. This is another requirement for HIPAA compliance, so covered entities should be doing this already.
  13. Conduct social engineering tests to see how easy a malicious hacker might be able to gain access to your organization. Phishing emails are one of the top ways that hackers gain access to protected information of all kinds.  This might be better outsourced as there are many companies that specifically conduct these types of tests often.
  14. Hire cybersecurity companies to conduct other technical evaluations such as penetration testing and vulnerability scanning (AHIMA recommendation). While it is not required to have a third-party conduct these tests, it will give your organization a better view of your security footprint.
  15. Provide a presentation to organization leaders on cybersecurity and your current security footprint.
  16. Take a proactive stance on your cybersecurity defenses, rather than waiting until something happens and then implementing safeguards or checks and balances.


For more information on setting up your cybersecurity plan, protecting your patient’s information, and being HIPAA compliant, join HIPAAgps today.