With news of recent security breaches and cyberattacks, healthcare systems and physician practices are reminded of the importance of maintaining compliance and protecting sensitive patient health information.
John Garcia, Information Security Manager, and Jennifer Brown, Vice President of Customer Operations for Pixel Health Technology Services, recently shared their thoughts on supporting clients with HIPAA compliance and implementing best practices for information security.
Proactively preventing security breaches
“We are often approached by healthcare organizations that need to determine if their organization is fully compliant,” said Jennifer. She explained that the request for services can be triggered by several reasons, such as:
- Experiencing a security “scare” or “close call”
- Receiving a request from their insurer for complete compliance documentation
- Wanting to proactively assess their systems and identify any potential gaps in their security policies and program
“In terms of HIPAA compliance, there are three main components: security, privacy, and breach notification. Our team primarily focuses on the security,” said John. “For example, we examine internal security controls, such as patch management, access controls, data protection, network, and endpoint security.”
Other aspects of maintaining security as part of HIPAA compliance include:
- User education through security awareness training
- Periodic reminders to end users about security vigilance
- Auditing of vendors and other third parties that handle patient data
Creating a roadmap for security planning
To help healthcare organizations establish a baseline of their current information security practices and identify any potential gaps, Pixel Health performs comprehensive assessments.
“An assessment helps us show organizations where they are—and where they need to be,” explained John. “With this information, we can develop a roadmap that includes a plan of action and outlines specific milestones. If a remediation effort is needed, we can also help teams reach those milestones.”
A typical assessment involves:
- Interviewing stakeholders such as a privacy officer or security officer; this role may not be dedicated but assumed as an additional duty by a director-level position
- Examining administrative policies and technical controls
- Accessing the organization’s environment to perform discovery
- Identifying and documenting potential risks
- Delivering a report that specifies areas for remediation
“Of course, while we’re identifying those risks, if our team sees a security or compliance issue that needs immediate attention, we let the organization know right away so they can take action,” said Jennifer.
Serving as a collaborative partner
“We’ve found that executives and directors at healthcare organizations often believe their compliance is in better shape than it really is,” explained Jennifer. “Hiring a third-party like Pixel Health gives them an unbiased view of any technical issues that may have been unnoticed.”
“We can also give organizations options on how best to meet standards based on their current budgets,” said John. “If a major IT change is needed but it may be too costly at the moment, we can develop ‘compromising controls’ that help mitigate major compliance risks and improve security as an interim solution.”
Working as an extension of an organization’s team, Pixel Health also helps educate its clients on best practices to avoid future compliance issues and help protect patient data.
“As a healthcare-centric technology consulting firm, we understand the business of healthcare,” said Jennifer. “Our compliance assessment incorporates the needs of the business to ensure we are implementing processes and best practices that keep the needs of clinicians and their patients at the forefront.”
For more information on Pixel Health Technology Services security solutions visit: Security – Pixel Health
