During any thorough HIPAA consultation, you will find that your computer network must meet a minimum set of requirements in order to fully comply with the Security Rule portion of the law. Below, I have outlined a few of these requirements, along with a brief explanation of how they relate to compliance. Each item relates to a specific requirement of the law. In order to obtain our full checklist, you can contact us and request our HIPAA Checklist.
Encrypted Backups
Many cloud backup solutions come with HIPAA compliant encryption; however, your local backups must be encrypted as well. Our recommendation is to use hardware-encrypted drives, which require a keypad entry in order to access the data therein. As an alternative, there are software solutions which encrypt your data before it is backed up, which can be used with standard non-secure hard drives.
The days of tape backups from an Alpha Micro server are over – no encryption exists for this older style of configuration, and many of our clients who still house their data on such a configuration are making the change to a Mac or a PC which can meet HIPAA requirements for data encryption.
Security Patches Kept Up To Date
The first step for getting your PCs patched regularly is to configure Windows Update to download and install updates automatically – preferably off-hours. Designating a day or two for off-hours maintenance is imperative for this, as it alleviates unexpected updates hampering the usability of PCs during the workday.
Third-party software with security vulnerabilities must also be patched. These include, but are not limited to: Java, Adobe Reader, Adobe Flash, Firefox, Chrome, Explorer, and others. Getting all of these updated regularly requires a bit more than allowing automatic updates – many of them do require user interaction. Thankfully, there are automated solutions. If you are under a Managed Service contract with dmi, security patching is available as an added on service. Automatic off-hours Windows and third-party updates can be obtained as an a-la-carte service as well.
Encrypted Email
This is quickly becoming a standard for sending medical information to specialists as well as patients. There are a great number of solutions out there for email encryption, such as the one linked here. Each email that is transmitted over the web bounces through a large network of servers – each one is a potential point of compromise. Therefore, HIPAA demands that end-to-end encryption is in place, so that in the event that any relay server is compromised, the messages therein will appear garbled and unobtainable to criminals.
Centralized User / Password Management
The first “must-have” for compliance is that the PCs themselves require a username and password that is unique to the employee logging in. It is not enough to only supply a password when logging into your Practice Management Software; on each PC, there resides incidental data from email, cache, Microsoft Office, or other locations. It is imperative that booting up the PC itself calls for a specific user and password.
Since offices generally have multiple PCs, which are accessed by multiple employees, centralized user and password management is necessary. This can be accomplished through a Windows Server set up as a domain – this allows each employee to use their unique username and password on any device on the network. Additionally, the Windows Server will enforce password complexity requirements, lockout policies, and schedules password changes.
Ongoing Network Monitoring
The final point I want to touch on for this list is ongoing network monitoring. HIPAA auditors want to see logs of activity on your network, so that they can verify that not only no breaches have occurred, but that there is a system in place to identify them if they do take place. Network monitoring is a requirement of HIPAA. Through a Windows Server set up as a domain in conjunction with monitoring software is a necessity for creating clear reports of employee activity as well as network breach attempts, or in the worst case scenario, the point of entry for a successful data breach.
To learn more about dmi Networking, Inc., follow the link to our home page and see how we provide Dental IT to the Bay Area.