HIPAA’s Security Rule mandates that physicians and other covered entities perform risk analysis as part of their security management processes, and that risk analysis should be an ongoing process which includes, but is not limited to, the following activities:
- Evaluate the likelihood and impact of potential risks to e-PHI
- Implement appropriate security measures to address the risks identified in the risk analysis
- Document the chosen security measures and, where required, the rationale for adopting those measures
- Maintain continuous, reasonable, and appropriate security protections
Unfortunately, HIPAA compliance will not stop a network attack and consequent leak of electronic protected health information (PHI). Breaches of patient data occur on an almost daily basis according to the U.S. Dept. of Health and Human Services Breach Portal. By law, reporting is mandatory if the breach impacts 500 or more people and if the information is unencrypted.
However, for practices in California, encryption is no longer the safe harbor that it once was. California has recently tightened the reporting requirement to include encrypted data if the keys were accessed as part of the breach under AB 2828.
Tresorit: End-to-End Encryption with No Key Leakage
Tresorit provides HIPAA-compliant data protection in the Cloud with no possibility of key leakage. Tresorit encrypts sensitive data before it leaves your device and no one other than the person that you explicitly share it with can see it. This means it is equally inaccessible to unauthorized insiders as well as the Cloud provider and, of course, hackers. 20KLeague clients receive a free month of Tresorit when they book a Cyber Risk Analysis.
Cyber Risk Analysis
The 20K League’s confidential cyber risk analysis can be conducted on or offsite by a principal consultant and usually requires 1-2 hours to complete depending upon the size of the practice. The consultant will meet with the principals, office manager, and IT director to learn about the current security controls that are in place, where and how client data is stored, who has access, how many devices connect to the network, how many locations are involved (including foreign offices, if any), use of encryption, frequency and storage of backups, which servers are Internet-facing and which are air-gapped, and other key data points that the consultant will use to create a precise assessment for the practice.
At the conclusion of the assessment, the consultant will provide a list of recommended fixes to harden the medical practice’s security posture against hackers, eliminate the risk of a successful ransomware attack and significantly reduce the risk of a data breach involving the practice’s confidential files.