igor - Fotolia
In this Ask the Expert, David Reis, vice president of information services and CISO at Lahey Hospital & Medical Center in Burlington, Mass., discusses the two vital steps a HIPAA covered entity needs to take in order to better ensure compliance.
In your opinion, what do you think are the main issues in terms of healthcare organizations not being HIPAA compliant? What can healthcare organizations do to ensure they remain a compliant HIPAA covered entity?
David Reis: There's a range of things, they kind of go up a complexity scale starting with lacking data at rest encryption. Data at rest encryption is just the single biggest thing that any healthcare organization can do to help prevent breaches and help ensure compliance with HIPAA. On laptops encrypt the drives, use encrypted USB storage devices, enable encryption on mobile devices that interact with email and then be very sensitive about backup tapes because they can get lost. We can see from CMS data that lost backup tapes contribute a lot of breaches of HIPAA covered data. These things, at a very foundational level, are enormously important to helping prevent breaches and to be compliant with HIPAA.
Over and above that, capability level two ... make sure that HIPAA covered entities have a thorough, complete, and accurate inventory of applications and devices that store patient data and that they do a National Institute of Standards and Technology (NIST) SP 80-30 based risk assessment.
These two things -- do a NIST-based risk assessment with a thorough and complete inventory of applications and devices that store patient data and use encryption -- are huge in remaining compliant with HIPAA.
Most doctors remain unprepared for HIPAA audits
HIPAA cautionary tale: A $750,000 settlement
HIPAA audits: Covered entities to be tested in 2016
Dig Deeper on HIPAA (Health Insurance Portability and Accountability Act)
Related Q&A from Kristen Lee
Two experts agree: AI will become essential to healthcare. AI can help providers step away from the EHR and enable precision medicine. Continue Reading
Vendors demonstrate that interoperability is possible when it comes to patient medication information. This makes CIOs hopeful for the future. Continue Reading
Healthcare should be getting ready for the cloud. At least, that's what one health IT expert thinks. Read his thoughts on cloud computing healthcare ... Continue Reading