EHR & HIPAA

A recent report published by Cynergistek presented data showing less than half of the nation’s healthcare institutions comply with the National Institute of Standards and Technologies (NIST) Cybersecurity Framework (CSF). The CSF is a best-practices roadmap for healthcare organizations to align their technologies with both HIPAA and cybersecurity conformity. But digging into the numbers shows an interesting caveat.

By far, assisted living facilities enjoy the highest levels of CSF conformity – a whopping 95% of facilities are adhering to CSF guidance. Here’s the twist – this healthcare sector is among the lowest on the scale of technological adoption. So this is telling us it’s easier to meet cybersecurity conformity guidance when you have little “connectivity” to manage. While at first blush this is self-evident, it’s the converse that tells the story – the more technologically adapted you are, the less likely it is you are meeting cybersecurity best practices.

We often discuss the myriad of ways healthcare organizations fail to properly protect health information. While most cases (and most breaches) are caused by employees through human error, the presence of technology increases the risk that a minor error can expose thousands of records.

What’s missing in this equation is a corresponding commitment (ie investment) in cybersecurity best practices that matches the commitment to technology. The more dependent you are, and the more intertwined technology is in your workflow, the greater your investment in compliance needs to be. While most of this investment comes in the form of capital, it also includes areas like training and management oversight.

Here’s an example. You may have a detailed policy and procedure in place for handling scanned documents, like patient insurance cards and IDs. And then you add a new scanner. Although this new scanner may be properly configured and set up, your staff may independently find storing the documents locally, and then transferring them to a secure drive, is more convenient. They’re nothing about compliance, they’re just trying to work as efficiently as possible. The result is PHI that is supposed to be centralized ends up being scattered and dispersed around numerous devices that we are often told during our assessment “contain no PHI”. Our vulnerability scans ultimately separate actual reality from perceived reality, and we go on from there.

With the recent publication of NIST 800-66 r2 and NIST’s CSF, the information your organization needs is readily available. It’s your responsibility to bridge the gap. If you want assistance, we’re here to help, it’s what we do.