The October Cybersecurity Newsletter from the OCR reminded covered entities and business associates about National Cybersecurity Awareness Month and the things they can do to help protect patients’ information.
They covered safeguards that are required for HIPAA compliance and provided suggestions and reminders for security awareness training.
The first safeguard the OCR reminded readers of is encryption. “Encryption is the conversion of electronic data into an unreadable or coded form that is unreadable without a decryption key,” the OCR stated in the newsletter. While encryption is an addressable safeguard, each organization must review current safeguards and determine if encryption is necessary and feasible. Using encryption can prevent unauthorized users from viewing information and can reduce the risk of a breach.
The OCR also brought up audit logs as another safeguard. Covered entities and business associates should record and monitor activity on the network. This can help an organization quickly determine if there is suspicious activity that needs to be addressed. Additionally, if there is a complaint from a patient, the organization can look back at the logs and determine if that complaint is founded.
The last safeguard discussed is secure configurations. This isn’t one specific safeguard, but many. Some of these safeguards include encryption, audit logs, anti-malware, maintaining and update software, and log configuration. The OCR states that: “Proper configuration of network devices and software will reduce the attack surface for bad actors and greatly improve an organization’s cybersecurity defenses.”
The reminder for security awareness training is the issue of social engineering. The OCR specifically reminded readers that phishing is a big issue for health care organizations. Employees can easily be tricked into clicking malicious links or providing log-in credentials on a manufactured webpage. Consequently, covered entities and business associates should implement as much training as possible, to help prevent such situations. This can be in the form of an email that provides examples as they come in, so employees know what to look for.
To learn about what safeguards are missing in your organization and which ones are absolutely necessary, join HIPAAgps and get started on your risk assessment today!