08-07-13 | Blog Post

HIPAA Security Lessons from a Michigan Healthcare CIO

Blog Posts

HealthITSecurity.com recently conducted an interview with Frank Fear, CIO of Memorial Hospital in Michigan, a medium-sized healthcare organization with approximately 1,000 desktops to manage. Learn from his lessons and a few from us to create a completely secure and efficient HIPAA compliant IT solution:

Authentication. Fear uses a single sign on solution that enables staff to securely authenticate to gain access to their network allowing them to sign on virtually once, then logout at the end of their shift – eliminating the need to sign on multiple times across different devices.

While an efficient authentication solution, the use of two-factor authentication can also strengthen security by requiring another factor such as a phone call or push notification on their smartphones before allowing network access.

Virtualization. “The virtualization piece is important for security. None of the data resides on the client device and we’re at acceptable risk,” said Fear. Virtualization, or cloud computing, allows data to be accessed with a device remotely while keeping all data on a secure server and never on the device itself. Meaning, if an employee loses the device, a data breach is not imminent.

EncryptionAnother way to strengthen security within the cloud is to use an encrypted cloud solution. Encryption of data at rest and in transit ensures that all electronic protected health information (ePHI) is unreadable and safe from the HIPAA Breach Notification Rule.

Of course, using a HIPAA cloud hosting provider requires more attention to their services and contracts – read What to Look for in a HIPAA Cloud Provider for details.

HIPAA Audits. Recognizing recent changes in the HIPAA rules, Fear mentioned that the hospital recently went through an extensive HIPAA security audit by a consultant to help them review and improve the ways they secure data. A HIPAA risk assessment is the first step toward compliance and stronger security.

One way to ensure your healthcare organization is prepared to undergo a HIPAA audit by the government is to undergo an independent audit by a third-party using the OCR HIPAA Audit Protocol as the testing guidelines. The Office for Civil Rights recently developed the protocol to give auditors a more consistent direction on how the OCR intends to conduct future HIPAA audits.

Disaster Recovery White PaperDisaster Recovery. Fear realized that by being “nearly fully electronic,” it’s very disruptive to the rest of the systems when one goes down. Disaster recovery is no longer a nice backup plan, but rather considered a serious security concern in the current electronic landscape of healthcare operations. With the massive amounts of data in their systems, clinicians are able to print portions of records but still need complete records to minimize risk.

Keeping critical healthcare applications and data up and running 24/7 while juggling security concerns can be difficult, but new technology, including virtualization, can help. Read about designing a comprehensive business continuity and disaster recovery plan with the technical solutions available, including a case study on the switch from physical servers to a private cloud environment and the differences in cost, uptime, performance and more in our Disaster Recovery White Paper.

HIPAA Compliant Hosting White PaperSecurity is possible with the latest technology and strategic design of a HIPAA compliant IT stack.

View a diagram of a HIPAA compliant data center IT infrastructure and learn about contractual requirements, benefits and risks of data center outsourcing, and vendor selection criteria in our HIPAA Compliant Hosting White Paper.

How a Healthcare CIO Maintains IT Security and Efficiency

Overwhelmed by cloud chaos?
We’re cloud experts, so you don’t have to be.

© 2024 OTAVA® All Rights Reserved