igor - Fotolia

Q
Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

Ask the expert: Encryption is key for a HIPAA covered entity

David Reis, CISO at Lahey Hospital & Medical Center, discusses important steps a healthcare organization, as a HIPAA covered entity, should take to remain compliant.

In this Ask the Expert, David Reis, vice president of information services and CISO at Lahey Hospital & Medical Center in Burlington, Mass., discusses the two vital steps a HIPAA covered entity needs to take in order to better ensure compliance.

In your opinion, what do you think are the main issues in terms of healthcare organizations not being HIPAA compliant? What can healthcare organizations do to ensure they remain a compliant HIPAA covered entity?

David Reis: There's a range of things, they kind of go up a complexity scale starting with lacking data at rest encryption. Data at rest encryption is just the single biggest thing that any healthcare organization can do to help prevent breaches and help ensure compliance with HIPAA. On laptops encrypt the drives, use encrypted USB storage devices, enable encryption on mobile devices that interact with email and then be very sensitive about backup tapes because they can get lost. We can see from CMS data that lost backup tapes contribute a lot of breaches of HIPAA covered data. These things, at a very foundational level, are enormously important to helping prevent breaches and to be compliant with HIPAA.

Over and above that, capability level two ... make sure that HIPAA covered entities have a thorough, complete, and accurate inventory of applications and devices that store patient data and that they do a National Institute of Standards and Technology (NIST) SP 80-30 based risk assessment.

These two things -- do a NIST-based risk assessment with a thorough and complete inventory of applications and devices that store patient data and use encryption -- are huge in remaining compliant with HIPAA.

Let us know what you think about the story and any tips you have for a HIPAA covered entity to remain compliant; email Kristen Lee, news writer, or find her on Twitter @Kristen_Lee_34.

Next Steps

Most doctors remain unprepared for HIPAA audits

HIPAA cautionary tale: A $750,000 settlement

HIPAA audits: Covered entities to be tested in 2016

This was last published in January 2016

Dig Deeper on HIPAA (Health Insurance Portability and Accountability Act)

PRO+

Content

Find more PRO+ content and other member only offers, here.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Join the conversation

1 comment

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

What steps do you think are crucial to remain HIPAA compliant?
Cancel

-ADS BY GOOGLE

SearchCompliance

SearchCIO

SearchCloudComputing

SearchMobileComputing

SearchSecurity

SearchStorage

Close