Third-party vendors and HIPAA compliance

The Health Insurance Portability and Accountability Act, known as HIPAA, was enacted in 1996, at a time when paper files were still stored in cabinets and sensitive information was generally delivered by hand or fax. Now everything is stored on computers and transmitted over the internet, exposing highly sensitive personal health information to serious data breaches. A hacker can quickly access hundreds of patient files and cause widespread damage, including a release of private information, deletion of crucial health reports, large-scale identify theft and ransom threats. Companies in the healthcare business now find themselves grappling with complicated cybersecurity issues far outside the medical space. Considering the risks of HIPAA non-compliance, healthcare companies generally benefit from hiring third-party vendors that specifically handle HIPAA regulatory compliance. To fully protect patient data, these vendors should have clear policies that restrict access, remain transparent and auditable, and maintain the most updated data security measures.

Restricting access is necessary for HIPAA compliance

Who has access to the patients’ information, how, and how much? These are crucial questions for any IT vendor. First, each member of the IT team should have only the level of access required to ensure HIPAA compliance and data security, including restrictions on time, scope, and job function. Each staff member should use a unique username and password to log into the system and go through multi-factor authentication as to their identities. An automatic logoff upon a short period of inactivity can prevent unauthorized access under another’s credentials.

HIPAA-compliant systems must include auditable reports

An automatic audit system permits the healthcare company to screen for unauthorized access and to trace the source of the data breach. An effective audit system maintains detailed login information of every support connection system and delivers a complete history of every login, including time, place, personnel and scope of the access to the patients’ records and other sensitive information.

Data integrity and security for HIPAA compliance

The weak link in data security generally occurs at the points of access and transmission. However, regular updates to security settings protect data from corruption and prevent a breach of data during transmission. To protect the data’s integrity and security, recommendations include customer control of configurable encryption, advanced transmission standards (AES) in 128, 192, and 256-bit modes, and data encryption standards (DES) of Triple DES10. Ultimately, the healthcare business bears the burden if patient information is compromised. A third-party IT security vendor should, therefore, have the knowledge and experience to meet the highest standards for becoming HIPAA-compliant. Remote access to a healthcare facility’s networks and systems is an often overlooked area that can represent significant potential exposure for HIPAA breaches.