Health IT vendors need to ensure security of their applications. Conventional wisdom for health IT vendors says to begin with the HIPAA Security Regulations, which specify 45 “Standards and Implementation Specifications”. While these requirements are essential for governmental compliance, they are not sufficient for ensuring organizational security.

The main reason? The HIPAA Security Regulations have remained essentially unchanged since they were initially drafted in 1998! They weren’t comprehensive when they were written, and after 26 years of technological evolution, they are even more incomplete today. In fact, the US Health and Human Services agency counsels organizations to supplement these regulations with an authoritative framework such as the NIST Common Security Framework (CSF).  The NIST CSF has 108 controls across 23 categories compared to HIPAA’s 45 implementation specifications.

Unfortunately, comprehensive frameworks such as the NIST CSF are simply too big a lift for smaller organizations.  Small Software-as-a-Service companies and other health tech companies simply don’t have the time & resources for perfect security.  Thus, Eagle Consulting Partners has identified four top items that organizations of any size should prioritize:

#1: Periodic Security Risk Assessments

The starting point of any strong security program is a good security risk assessment.  We encourage you to read over our page on getting started with conducting a security risk assessment for your organization for more details. We also encourage you to review our sample of what a completed SRA should look like.

 

 

#2: Multi-Factor Authentication from the Start

Passwords alone are no longer sufficient to ensure authentication.  Your application or service should support MFA including at a minimum both SMS text messages and one or more of the popular authenticator apps such as Google Authenticator or Microsoft Authenticator.

 

 

#3: Periodic Penetration Testing

Programming errors, misconfigurations, and unpatched vulnerabilities can result in data breaches, ransomware attacks, and many other types of catastrophic security events. Any one of these events could kill the business of a smaller organization.  Ensure that your company gets a periodic penetration test from a capable organization to identify any attack chains that could be leveraged against your business before a cybercriminal does.

 

 

#4: Policies & Procedures

HIPAA mandates policies and procedures that address each of the 45 standards and implementation specifications.  The HIPAA Security regulation includes 45 standards and implementation specifications which must be addressed in policy.  Using templates is a great starting point,but make sure they are tailored to the organization’s specific workflows.  For example, a SaaS company shouldn’t use policies designed for a small doctor’s office.  (See the Eagle Consulting Policy Store for an array of policies for different types of organizations). These policies will be requested during audits or investigations, and failure to provide them could result in significant penalties.

 

 

Safeguarding health IT applications demands more than mere HIPAA compliance. Organizations, especially startups and smaller businesses, should conduct and use comprehensive security risk assessments as a starting point for a security program tailored for the organization.  Your risk assessment would certainly prioritize multi-factor authentication where possible, regular penetration testing, and robust security policies.  Once this is done, systematically address the next priorities identified in your risk assessment, one at a time, as your time and resources permit.  This action plan will not only help you with governmental compliance, but also defends yourself against the real-world landscape of criminal cyberattacks, thus securing the business’s future in an ever-evolving technological landscape.

Pin It on Pinterest