Check-list to compliance readiness for SMBs

Here is a check-list of some do-it-yourself best practices for HIPAA/HITECH security to consider.
Written by Anupam Sahai,, Contributor

Commentary - While PCI is the most widely adopted standard, HIPAA/HITECH has become the fastest-growing adoption standard-wise. The big push for HIPAA comes from its enforcement. There are about 600,000 medical providers who need to be HIPAA/HITECH compliant. Those who do business with these Covered Entities (CEs) – everyone from lab technicians to hazardous waste disposal services – are known as Business Associates. With the passage of the HITECH act, every one of these BAs, about 2 million of them, now needs to be HIPAA/HITECH compliant.

What’s increased the adoption rate for compliance is the $20 billion of the Fed’s 2009 stimulus money that’s been set aside for upgrading healthcare IT to support electronic medical records.

Small businesses can apply for up to $44,000 over a period of three to four years, while hospitals are eligible for up to $2 million in grants. Both need to demonstrate “meaningful use,” which essentially is another way of saying that they need to ensure they're HIPAA/HITECH compliant to safeguard their patients’ EMR.

Essentially, compliance regulations can be seen as defining best practices for IT security because they're focused on protecting some of the same key assets. In the case of PCI, the compliance regulations are trying to protect credit card information. Practices and security mechanisms used by businesses to implement and enforce HIPAA or PCI compliance are going to be fairly similar. For example, PCI mandates regular monitoring of logs, quarterly updates of anti-virus signatures, data loss prevention and other basic IT security controls.

Here is a check-list of some do-it-yourself best practices for HIPAA/HITECH security to consider:

1) Conduct a self-assessment. As a business, where do you stand with respect to your current security and compliance status? You want to pinpoint your high-risk gaps to address those first.

2) Encrypt your electronic medical and personal data, whether stored on servers, or in transit, or secured operationally through access control. A number of tools are available that allow SMBs to do basic encryption and perform access control.

3) Use agreements with Business Associates and third-party folks with whom you interact. These agreements need to communicate that they need to be HIPAA/HITECH compliant; that they need to establish data breach reporting requirements, and that they need to share the liability in case of a breach. By having agreements in place between the Covered Entities and their BAs, the risk liability can be limited.

4) Deploy multi-factor authentication to control access to digital assets. Besides a user name/password, utilize a biometric or a shared secret included as an additional authentication mechanism. A lot of SMBs have adopted smartcards, and laptops equipped with biometric finger scanners are no longer a rarity.

5) Get comfortable with using cloud-based services; they are here to stay. Most SMBs have little to no in-house IT personnel while big cloud providers are spending enormously on security; it’s a safe bet that their services are more secure than business-based security. Don’t take their word for it though, a cloud provider ought to show its investment in security from a protection and monitoring perspective. Information held by cloud providers will most likely be multi-tenanted, where customer data is partitioned.

6) An oft overlooked check-list item is your social media policy. A recent breach case reported an office manager who talked about a patient's health on Facebook. A federal agency fined the doctor, and the doctor lost his practice. Social media use is ubiquitous in every organization. A social media policy should ensure employees know the consequences of leaked information.

7) The last check-list item is reserved for internal housekeeping through operational commitments from internal personnel. Follow policies and procedures that involve training and that serve to put responsibility and accountability in place. For example, who is assigned to handle document shredding? Who is assigned to destroy unused tapes and storage media? Accountability by role assignment ensures that people understand what they’re responsible for, and how they fit into the bigger picture in terms of reporting and safeguarding the data.

Security and compliance is a journey and not a destination, not a one-time thing but an ongoing process, with best practices, training and technology safeguards to be mindful of.

Anupam Sahai is president of eGestalt Technologies, a provider of IT security, governance, risk management and compliance (IT-GRC) solutions based in Santa Clara, CA. With more than 21 years of IT experience and three worldwide patents, Sahai has held positions with Silicon Graphics, Hewlett Packard and Microsoft. He holds a Bachelors in Engineering from IIT Kharagpur, India, a Masters in Computer Science from IIT Kanpur, India, a Masters in engineering and an MBA degree from The Sloan School of Management at MIT. You can reach him at anupam.sahai@egestalt.com.

Editorial standards