Find out how organizations did with HIPAA compliance in 2017.
In 2017, we conducted 4 surveys of over 300 healthcare professionals from organizations of all sizes, primarily from those with less than 500 employees. We included the results in our 2018 Guide to HIPAA Compliance. Data from these surveys can help security experts and practices alike decide on which areas to focus their HIPAA resources.
So how did organizations do with HIPAA compliance in 2017? Here are the results along with major takeaways to help you with your own HIPAA compliance efforts:
Physical SecurityWhen it came to the physical security of HIPAA-compliant data in 2017, at least 20% of respondents reported that their organizations did not use automatic timeouts or log outs on workstations. Also notable was the fact that at least 20% of respondents reported their organizations did not encrypt stored electronic protected health information. Organizations did well in the area of providing unique ID credentials for each employee—with 94% reporting that they followed this requirement.
ORGANIZATIONS HAVE AUTOMATIC TIMEOUTS/LOG OUTS ON WORKSTATIONS
- Yes: 78%
- No: 20%
- Don't know: 2%
Takeaway: All workstations need to have an automated timeout/log out (i.e., a password-protected screensaver enabled after a time of disuse.
EMPLOYEES THAT HAVE UNIQUE ID CREDENTIALS
- Have unique ID credential: 94%
- Share credentials: 6%
Takeaway: All employees should have their own login IDs and passwords for computer, software, and physical access.
ORGANIZATIONS ENCRYPT STORED ELECTRONIC PROTECTED HEALTH INFORMATION
- Yes: 78%
- No: 20%
- Don’t know: 2%
Takeaway: If you store any ePHI, you need to make sure that it has been properly encrypted (e.g., using AES-256 encryption).
HIPAA FirewallsNetwork firewalls (both physical and virtual) are vital to HIPAA compliance. 31% of our respondents reported using both. Most organizations we surveyed opted for a managed firewall —a move that can help practices with large or complex networks.
TYPES OF FIREWALLS ORGANIZATIONS USE
- Hardware firewall: 20%
- Software firewall: 18%
- Both: 31%
- Don’t know: 31%
Takeaway: All networks (whether small or large) need both a hardware and software firewall.
NETWORK FIREWALL(S) MANAGED BY A SECURITY PROFESSIONAL OR THIRD PARTY
- Third party vendor: 74%
- In-house security professional: 10%
- Don’t know: 16%%
Takeaway: Though not required, managed firewall(s) can help organizations with complex firewall rules and firewall management.
HOW OFTEN FIREWALL RULES ARE REVIEWED
- At least weekly: 13%
- At least monthly: 16%
- At least quarterly: 16%
- At least yearly: 10%
- Don’t know: 45%
Takeaway: A security professional should regularly review your firewall rules (e.g., at least quarterly).
ORGANIZATIONS DESIGNATE THE FOLLOWING INDIVIDUALS TO RESPOND TO FIREWALL NOTIFICATIONS (E.G., LOGS, ALERTS)
- Yes, a third-party vendor: 70%
- Yes, in-house security professional: 12%
- No-one: 8%
- Don't know: 10%
Takeaway: HIPAA requires that organizations enable logging and log alerting on critical systems (e.g., un-authorized connection attempt).
ORGANIZATIONS ALLOW THE FOLLOWING INDIVIDUALS TO REMOTE ACCESS INTO THEIR NETWORK
- Employees: 36%
- Another healthcare entity: 2%
- Third party vendor: 26%
- Don't allow remote access: 29%
- Don’t know: 7%
Takeaway: If you use remote access, make sure to implement adequate security, such as multi-factor authentication and proper firewall configuration.
ORGANIZATIONS REQUIRE MUTLI-FACTOR AUTHENTICATION FOR REMOTE ACCESS TO PATIENT DATA
- Yes: 26%
- No: 40%
- Don’t know: 34%
Takeaway: If you use remote access, make sure to implement adequate security, such as multi-factor authentication.
Penetration TestingThis type of white-hat hacking is one of the best ways to find network vulnerabilities. Organizations should make sure that pen testers are qualified and vetted, and should perform a variety of penetration tests—to help prevent wasting time and money.
ORGANIZATIONS PERFORM PENETRATION TESTS
- Yes: 26%
- No: 16%
- Don’t know: 58%
Takeaway: To protect against cyber-attacks, penetration testing is vital to network security.
PENETRATION TESTS PERFORMED BY A SECURITY PROFESSIONAL OR THIRD PARTY%
- In-house security professional: 2%
- Third-party vendor: 22%
- Don't perform penetration tests: 10%
- Don’t know: 66%
Takeaway: Whether a penetration test is performed by an in-house security professional or third-party vendor, make sure they are qualified.
HOW OFTEN ORGANIZATIONS PERFORM PENETRATION TESTS
- Every other year: 2%
- Annually: 6%
- Yearly and after major network changes: 4%
- After major network changes: 2%
- Never: 8%
- Don’t know: 78%
Takeaway: Organizations should regularly perform penetration tests (e.g., yearly).
ORGANIZATIONS PERFORM THE FOLLOWING TYPE(S) OF PENETRATION TESTS
- Network penetration test: 10%
- Segmentation check: 0%
- Application penetration test: 0%
- Wireless penetration test: 0%
- Social engineering assessment: 0%
- Don't perform penetration tests: 12%
- Don't know: 78%
Takeaway: Organizations should perform a variety of penetration tests to confirm their network security.
HIPAA Security TipsHere are a few things to keep in mind for HIPAA compliance:
- Train employees at least quarterly: if you have an IT team, let them participate in a few trainings to help familiarize all employees and staff with HIPAA compliance and PHI security
- Get expert help: it’s a good idea to consult HIPAA Compliance and Security Assessors and other security experts to help your organization with areas of concern
- Do security testing: hire penetration testers and ethical social engineers to test your systems and your employees
Need help with HIPAA? Check out our 2018 Guide to HIPAA Compliance and contact us with any questions.