If You Connect It, Protect It
In healthcare practices, we have a responsibility to ensure reasonable safeguards to protect personal health information. In the early days of a clinic opening, your privacy impact assessment includes a privacy risk analysis that identifies potential risks to the privacy, confidentiality, and security of health information – and all the ways that you will mitigate and prevent those bad things from happening.
Threat Risk Assessment
As a practice matures, you are expected to regularly re-evaluate the risks to health information and conduct a new threat risk analysis (TRA). Conducting a TRA is a reasonable safeguard as described under the Alberta Health Information Act (HIA) and part of your obligations with information sharing partners, like Alberta Netcare Portal.
This is part of your Privacy impact assessment (PIA) amendment or update.
This is where you demonstrate that the custodians and the leadership of the clinic understands the importance of privacy and security. The TRA should review and update the original risk analysis – and describe what you have done lately.
The TRA should include administrative, technical, and physical safeguards.
IT Asset Inventory
You need to know where your personal health information – and other business, confidential, and sensitive information resides – before you can protect it.
A review of all the devices in your clinic that contain personal health information is one example of a technical safeguard. Your information technology (IT) computer network vendor or managed service provider should be conducting a regular enterprise-wide IT asset inventory. Generally, an enterprise-wide IT asset inventory is a comprehensive listing of an organization’s IT assets with corresponding descriptive information, such as data regarding identification of the asset (e.g., vendor, asset type, asset name/number), version of the asset (e.g., application or OS version), and asset assignment (e.g., person accountable for the asset, location of the asset). Listen to the Help Me With HIPAA podcast episode 273 for a great discussion on why this is so important.
The clinic’s system administrator or privacy officer should review the IT asset inventory with the MSP to ensure that all listed devices – both the devices managed by the MSP and any other connected devices – are included in the inventory.
In your PIA amendment, remember to include when you most recently completed your IT asset inventory, who was involved in the development, when it was reviewed by your custodians and leadership, and the actions that you took based on the results of your assessment.
See the Summer 2020 OCR Cybersecurity Newsletter Making a List and Checking it Twice: HIPAA and IT Asset Inventories and the additional resources to assist you with your IT Asset Inventory.
Security Vendor Questionnaire
Choosing a vendor to meet your cybersecurity needs is not an easy task. To help you, the National Cyber Security Alliance has created a checklist with some questions you should consider asking current or potential vendors. it is not exhaustive, but gives you a good start. If you don't understand some or any of these questions, consider having a business partner or colleague help you interview vendors. And always remember to engage in a Service Level Agreement and Contract with the vendor so all expectations are clearly articulated.
If you are a healthcare provider, you may need an Information Management Agreement, too.
Bonus Tip – Keep your questions and responses from the vendor as part of your privacy and security risk assessment to demonstrate your diligence and commitment to reasonable safeguards to protect your business and your patients' health information.
If You Connect It, Protect It Resources
Use these resources from DHS NCSAM that you can download and share right away!
Here's a great no-cost opportunity to provide cyber security awareness training to your team!
October is Cybersecurity Awareness Month, a global effort to help everyone stay protected whenever and however you connect. The overarching theme for the month is, ‘Do Your Part. #BeCyberSmart.’ and Information Managers is proud to be a champion and support this online safety and education initiative this October.
Events This Month
- Worried About A Privacy Breach? – Live Oct 8
- Practical Privacy Officer – Live Oct 29
- Privacy and Security in Telehealth Summit – Live October 21
Information Managers Ltd has been a CyberSecurity Champion for many years – and now you can, too!
We want to help you, your family, friends and our community stay protected all year long, too. We encourage you to sign up as an individual Cybersecurity Awareness Month Champion. After signing up, you’ll receive a toolkit of free resources, including simple online safety habits and steps you can take to #BeCyberSmart.
National Cybersecurity Awareness Month is co-led by the National Cyber Security Alliance (NCSA) and the Cybersecurity and Infrastructure Agency (CISA) of the U.S. Department of Homeland Security. For more information about ways to keep you and your family safe online visit https://staysafeonline.org/cybersecurity-awareness-month/ and/or cisa.gov/ncsam.
Be CyberSecurity Aware
- Demonstrate to your team the importance of cyber security at work.
- Share with your patients – by posters in your practice, blog posts, or your email newsletters – and demonstrate that your practice is cyber aware and you want to share tips with them.
- If you have team members who work remotely, work from home, use their own mobile devices, or use the internet to connect with apps and resources – give them additional skills to do their work as safely as possible.
- Help your team members better manage their own personal information in their personal lives – good habits that will help them at work, too!
Become a Champion here https://staysafeonline.org/ncsam/champions/
Follow Information Managers blog posts, social media, and resources that you can download and use right away!