Atlantic.Net Blog

Top 13 Difficult Questions Your HIPAA Consultant Should Be Asking You

Becoming HIPAA compliant is a challenging undertaking, as the Health Insurance Portability and Accountability Act of 1996 together with all of the subsequent amendments and updates form a very complex piece of legislation. There are countless mandatory and recommended safeguards concerning the physical, technical, and administrative securities over Protected Health Information (PHI).

The questions we have highlighted will often be difficult to answer, and once you have the answer, it might be difficult to implement and successfully maintain, but they reflect core elements of HIPAA that must be adhered to. This is where Atlantic.Net can help with our fully managed service offerings.  We take care of the hard and repetitive work to maintain your HIPAA environment.

You can readily understand why so many covered entities hire a HIPAA compliance consultant to oversee the monumental task of becoming HIPAA compliant. If you are embarking on this journey, it is important to consider these top critical questions:

  1. When was your last Risk Assessment completed?
  2. Do you know where your PHI resides?
  3. Who is managing your firewall(s) and network to ensure they are patched, up to date, and in compliance?
  4. Who is managing your servers and operating systems to ensure they are patched, up to date, and in compliance?
  5. Do you have a cloud strategy?
  6. Do you have an Incident Response Plan in place?
  7. What are your off-site backup and disaster recovery plans?
  8. How do you encrypt PHI?
  9. How do you control access to PHI?
  10. How do you log access to PHI?
  11. What is your workstation policy?
  12. Have your employees recently had a security awareness training refresh?
  13. Do you outsource to a HIPAA Compliant Hosting partner?

When was your last Risk Assessment completed?

A Risk Assessment is a mandatory administrative safeguard of HIPAA compliance, is usually the first task undertaken on the journey to becoming compliant, and should form part of a systematic risk management program. It is advisable to complete a risk assessment at least once a year.

A consultant will advise that all covered entity IT systems are analyzed for security risks and security measures are implemented to mitigate against the risk. All measures must be documented and, if necessary, the covered entity must install and maintain reasonable, appropriate, and continuous protection.

The scope of the risk assessment is enormous, and the aim is to make sure all systems adhere to the physical and technical requirements of HIPAA, such as PHI data being encrypted at rest and in transit or implementing a VPN solution to access a HIPAA compliant hosting platform .

When you partner with Atlantic.Net, we will work with you to complete a full risk assessment, helping to detect compliance weaknesses and document what future action is required by the availability standards of HIPAA. We will look for vulnerabilities, complete a threat analysis, and assess PHI data locations to help determine the likelihood of threat occurrence.

Need help with your risk assessment? Get in touch today !

Do you know where your PHI resides?

The covered entity must know what PHI they manage and where it is located and processed on their IT systems. Understanding what databases, applications, and file servers contain PHI and where PHI is located underpins the entire process.

Making a change to the security outlook of a covered entity is essential. Securing PHI is the cornerstone of HIPAA and one of the most important first steps to achieve compliance. Know where PHI is stored and how you process PHI!

Knowing what PHI you have will help to create a baseline to work upon, and the baseline acts as a line in the sand, helping to define how to handle and process PHI and creating a  roadmap for the future desired state configuration.

As part of the risk assessment, Atlantic.Net can complete a Data Collection assessment which will determine where PHI is stored, received, maintained, or transmitted.

Need help with Data Collection? Get in touch today !

Who is managing your firewall(s) and network to ensure they are patched, up to date, and in compliance?

Network firewalls are difficult to update gracefully and require a high availability configuration to prevent downtime. Firewalls are the #1 network component we find not being patched or managed in HIPAA compliant environments. Passwords must be changed from defaults, the networking stacks must be updated to the latest run-time code levels, and SFP fiber connectors need their firmware updated, not to mention the software used to manage the firewalls.

This is a tough assignment even for the professionals, and it is one of the principal reasons customers outsource to a HIPAA compliant hosting provider like Atlantic.Net. Our engineers have vast experience looking for vulnerabilities at the network layer.

Need help with your managed firewall? Get in touch today !

Who is managing your servers and operating systems to ensure they are patched, up to date, and in compliance?

When we review customer infrastructure before onboarding them, one of the major concerns we find is the lack of operating system patching or the use of operating systems that are at end-of-life from the vendor.

Server patching is often months and sometimes years out of date. This is a major security concern, and these systems potentially have countless vulnerabilities. Running an out-of-date operating system, basically any Windows Server platform up to and including Windows Server 2008 R2, puts your organization at risk.

Atlantic.Net can provide a managed service offering wherein our highly skilled engineers will manage and maintain your server infrastructure. This can include a patch management program, anti-virus consolidation, and a best practice security implementation to defend against system vulnerabilities.

Need help with Managed Services? Get in touch today !

Do you have a cloud strategy?

Digital transformation is a hot topic in 2020, with many organizations fast-tracking cloud migration strategies in the wake of Covid-19. How can the cloud help your healthcare organization grow on a HIPAA compliant platform? The cloud offers many benefits to healthcare, outsourcing the responsibility of server hardware patching, managing, replacement, monitoring, and more.

Working alongside Atlantic.Net, a cloud-first strategy will help to ensure access and uptime within a fully redundant cloud stack from physical, hardware, and network, including multiple carriers with multiple high-speed connections. The cloud provider will also be responsible for vulnerability scanning and mitigation.

Need help with your cloud strategy?  Get in touch today !

Do you have an Incident Response Plan in place?

An IRP is an administrative safeguard that forms part of the HIPAA Breach Notification Rule (2009). It is a mandatory requirement to have a plan in place that documents the steps undertaken in the event of a security breach affecting PHI.

The IRP contains details about who is responsible and what roles employees undertake to react to a security incident. There are regulations about notifying patients and the media in a timely fashion.

Investigate the nature and extent of PHI involved and understand if patients can be tracked from data leaked. If possible, work out who was involved and try to determine if PHI was accessed/taken. The investigation will determine if PHI was put at risk and if the theft needs to be reported to the Office of Civil Rights (OCR).

Working with Atlantic.Net will dramatically reduce the risk of ever having to use an incident response plan, as our HIPAA compliant services have been finely tuned to provide the best-in-class security for your healthcare organization. However, if the worst should happen, we will stand by you, implementing an IRP that is created as part of the risk assessment.

Need help with an IRP? Get in touch today !

What are your off-site backup and disaster recovery plans?

A business continuity plan is something every business must focus on, especially since the Covid-19 outbreak. Two key parts of a BCP are Off-Site Backups and Disaster Recovery Planning. They are a required safeguard that aims to document and test how a covered entity responds to a disaster recovery scenario such as a natural disaster, a global pandemic, or flooding of a data center. The availability of PHI is mandatory; authorized systems must be able to access PHI, and appropriate measures must be undertaken to protect PHI.

A BCP usually consists of a predefined backup strategy that protects PHI systems, such as a data backup system that replicates to a secondary location. Likewise, critical IT systems, such as patient databases, must be capable of failing over service to a secondary data center location. This is a technical solution commonly provided by your HIPAA compliant hosting partner.

Some providers achieve this using tape backup, but it has become increasingly popular to hold backup data on secure, redundant, geolocated storage systems. Data is replicated from the source location to at least one other offsite location, and regular test restores should be conducted to confirm the validity of the backup data.

At all times, a backup is available should the worst happen, meaning that data can be restored in all scenarios. A BCP is an evolving administrative task that involves an annual disaster recovery test to ensure the failover process works, and lessons can be learned if issues are encountered.

Atlantic.Net are specialists in backup and disaster recovery. Our cloud backup solution can be added by a simple checkbox enable, and our DR service provides best-in-class site failover to any of our 8 data centers located in the United States, Canada, Asia, and Europe.

Need help with your Backup Strategy and DR? Get in touch today !

How do you encrypt PHI?

Data encryption is a method of translating data into a protected format that can only be read by the person or computer with the decryption key. Unencrypted data, sometimes called plaintext, is readable by humans and computers. Encrypted data, sometimes called ciphertext , is only readable by the holder of the secret (encryption) key.

It is highly recommended to encrypt all PHI data, and the only way to achieve this standard is to use AES-256 encryption for PHI data stored at rest and in transit. By default, Atlantic.Net encrypts all data. Surprisingly, holding PHI data encrypted at rest is not mandatory, but you need to have a very good excuse when you are audited as to why you are not encrypting data at rest. Only encrypting PHI in transit is mandatory.

HIPAA recommends using end-to-end encryption (E2EE); this standard means that only the sender and receiver can view or access the data (it is encrypted everywhere but at the endpoints). Data is not stored on an intermediate server, such as a content server, during the data transfer, making the entire data transaction incredibly secure.

You should also consider making your email platform encrypted and encrypting user laptops, mobile phones, tablets, and strictly manage your employee’s BYOD habits. Backups must be encrypted, as well as any in-scope database.

Need help with encryption? Get in touch today !

How do you control access to PHI?

Controlling who has access to PHI is another mandatory requirement of HIPAA compliance. It is important to know who should have access to PHI and what PHI they should have access to. It requires credential management, access control lists, and several administrative policies to remain compliant.

Each user must have a unique username and password combination, credentials must never be shared and to enforce this, and accounts must be protected by Multifactor authentication. Servers or applications that contain PHI must use access control lists; this is usually managed by directory service security groups that can deny access to all but a chosen few.

System administrators and service desks need to oversee the entire process, not only enforcing system-wide password policies and restricting access to sensitive systems, but also taking care of user management; for example, enforce a strict leavers policy, ensuring at minimum a user’s credentials are locked as soon as they leave the business.

Atlantic.Net has vast experience in assessing current security measures, including making sure access controls are in place to manage inappropriate accesses or disclosure of PHI.

Need help with your access controls? Get in touch today !

How do you log access to PHI?

HIPAA compliance also demands that in addition to maintaining access controls to PHI, detailed logging must also be enabled to log who has accessed PHI, what PHI has been accessed, and when the PHI was accessed. Verbose logging can be enabled inside applications, databases, and on server and cloud infrastructure.

Logging creates huge volumes of data, making manual monitoring is all but impossible. An automated SIEM solution can be implemented to automatically audit the logs for specific trends, such as users logging in outside-of-hours, multiple failed login attempts, changes in user’s elevated permissions, and so on.

These controls are required to introduce a technical layer of auditing on PHI. It ensures that the covered entity can determine when PHI is accessed, altered, or destroyed in an unapproved manner. Security Information Event Management (SIEM) platforms are configured to audit and alert on any changes made to PHI, and the alerts should be monitored and escalated as required.

Need help with your access controls? Get in touch today !

What is your workstation policy?

Write a policy that limits which workstations can access protected health data; it should define how a screen should be guarded against snooping and specify appropriate workstation use.

Automated lock screens should be enabled by system administrators. A clear screen states that whenever your staff members leave their desks for an extended time, they should log off their computers and that whenever they leave, even for a moment, they should lock their screens.

A clean desk policy should be in place that mandates that employees empty their desks of any materials, including removable media, sticky notes, business cards, and documents, whenever they leave it unattended.

Atlantic.Net can offer advice and guidance related to the physical protection of a workstation. This includes cable locks, screen filters, docking stations with locks, privacy screens, and technical protections such as password policies, automated lockouts, and so on.

Need help with your workstation policy? Get in touch today !

Have your employees recently had a security awareness training refresh?

Finally, one of the most important questions you should be asked is about employee training about HIPAA compliance and security best practices. Training plays such as a large part in protecting the covered entity’s IT ecosystem, as employees form the front line of defense against breaches of PHI.

Adequate training includes not only the latest security awareness training, such as the latest trends and threats in cybersecurity, but also training on how to correctly use computer systems and medical devices, and how to protect patient information.

To wrap up, if you are in the market for Managed IT services for healthcare, make sure you choose an experienced HIPAA compliant provider that focuses on security, business continuity, and scalability. Choose a provider that can grow with you, one that focuses on collaboration and data interoperability. We know that the regulations of the industry are intense, but Atlanic.Net can take away the stress of managing your entire IT operation.

We have an extensive list of healthcare clients who have trusted us for many years, and our managed service packages allow you to forget about the complexities of IT and focus on your patients. We will protect your infrastructure from the very latest cybersecurity threats, as well as manage upgrades and maintenance behind the scenes. We will work with you to identify and secure PHI, protect you from ransomware attacks, and offer you the very best Healthcare Managed Services platform available.

The most effective way to manage training is to ensure all workforce members are given security training on regular occasions. Speak to our sales team to learn how Atlantic.Net can guide your organization through this critical learning journey.

Need help with your learning journey? Get in touch today !

Do you outsource to a HIPAA Compliant Hosting partner?

Are you in need of an infrastructure that can protect the health data of your organization? At Atlantic.Net, whatever your technical requirements, we can offer a top-grade HIPAA-Compliant Hosting solution. Get a HIPAA-Compliant Server Cost from one of our experts.

If you’re in need of a HIPAA compliance consultant, check out our list of the top 10 HIPAA consulting companies.

Get a free consultation today or get started with a free trial!

Read More About Consulting Services

Get a $250 Credit and Access to Our Free Tier!

Free Tier includes:
G3.2GB Cloud VPS a Free to Use for One Year
50 GB of Block Storage Free to Use for One Year
50 GB of Snapshots Free to Use for One Year