A HIPAA security risk assessment is a thorough evaluation of all the potential threats to a practices’ electronic protected health information (EPHI). There are three areas of emphasis in a risk assessment, as mandated by the HIPAA Omnibus Rule: administrative safeguards, technical safeguards and physical safeguards. Most HIPAA security risk assessment tools are in the form of questionnaires or checklists that review all the necessary risks and needed components to safeguard EPHI in all three categories of risk. The assessment can be performed using an online or cloud document or a paper document. The key word here is document – as in the assessment must be documented in written or electronic format.
HIPAA rules require that this assessment be performed on an annual basis. The rules also state that if areas of risk are identified, they must be fixed, or a plan developed and followed up on to fix the issues. The risk assessment is one of the key documents that the Dept. of Health and Human Services (HHS) reviews during a random HIPAA audit or an audit that results from a complaint.
The requirement for assessing risks stems from the need for any health care provider to be aware of vulnerabilities in the creation, use, transmission and storage of EPHI. This includes things such as backups, use of security software and firewalls, policies on the appropriate use of computers in health care facilities, the need for secure passwords and much more. A typical questionnaire used for a HIPAA risk assessment has in excess of 100 items to be reviewed.
And speaking of appropriate use of computers in health care facilities…they should NEVER be used to download any type of software that is not related to the practice. This includes music, games, personal email, photos, etc. HIPAA requires a practice to have a policy in place that prohibits this and that employees be made aware of the consequences of violating this policy (i.e. what disciplinary action will be taken).
If your practice has questions about or needs assistance with a security risk assessment, contact Tyler at firstname.lastname@example.org.
In order to protect the security of electronic protected health information (E-PHI), all users of an health care facility’s computers must take precautions to prevent exposure
of the EPHI to hackers or other entities that may exploit, damage or otherwise effect the integrity of the information. It is a common practice for doctors and other employees in a practice to use workplace computers to send and receive email messages. These messages may be of a personal or business nature and/or may contain patient information, such as images, x-rays, etc.
HIPAA requires that messages not containing EPHI be sent securely, to minimize the potential for email tracking or “contamination” with viruses or malware that may get past firewalls and security software. Free software, such as Gmail, Yahoo, AOL and others are not secure and are vulnerable to hackers. It is possible to port email addresses from these providers through Outlook or other more secure email portals, such as a website, to minimize risks. Your IT support professional can assist you with this. Another issue with using Gmail, Yahoo and others as your business email is the lack of branding. In other words, if you are sending emails from your practice/business, the email should represent the practice, not Gmail. Your web domain should also be your email address. For example our web domain is www.marygovoni.com, and our email addresses are email@example.com and firstname.lastname@example.org. Every time we send or receive emails, our “brand” or business name is utilized and is visible to potential clients. It should be the same for a dental practice. Your web hosting service can provide you with secure email that will provide the HIPAA-required security.
If you are sending email messages with EPHI (x-rays, etc.) those messages must be transmitted with a higher level of security. The reason for this in dentistry is not so much that the images or other information is so highly confidential. The key reason is that when images or attachments are sent with unencrypted emails, there is a traceable electronic pathway from that message/attachment back to the server where those messages are stored. This opens a portal for a security breach. There are many cost- effective encryption services available for dental practices, including some that will integrate directly into your practice management software. The chief complaint that we hear about using encryption is that “it takes so much longer” to send and receive encrypted messages. It really doesn’t take a great deal more time, once the encryption service is installed and set up – it’s all about the perception and having to establish a new habit. Security breaches are increasing in frequency in health care and can be very costly to a practice. IT professionals estimate that the average cost of a security breach from is approximately $100,000. Not to mention that this would create a very negative opinion of the practice for patients and perhaps a sense of distrust and resentment for not protecting their information.
If you have questions about secure email or encrypted email, contact Mary or Tyler at the above email addresses. We are happy to help with product and service recommendations.
On January 14, 2020 Microsoft will reach it’s end of life (technical term for it will no longer be updated or supported). For any practices that are using the Windows 7 operating system this means that after that date, no more security updates will be available and if the operating system crashes, Microsoft will no longer provide support to fix any issues. Aside from the obvious inconvenience of no support, this poses a security risk for any users, but even more so for health care facilities. The lack of security updates will make a dental practice’s software even more vulnerable to hackers who are attempting to access patient protected health information and it becomes a security risk and a HIPAA violation.
Practices using Windows 7 must consult with their IT support professionals to determine what needs to be done to upgrade to Windows 10. This includes the server, workstations, and peripheral devices, such as cameras, printers, x-ray sensors, extraoral x-ray machines and any other devices that run currently on the Windows 7 platform. This upgrade may involve just a software installation, but it may require some hardware changes/upgrades as well. The latter may be especially important if a practice’s server is running Windows Server 2008 R2, which also reaches it’s end of life in terms of support on January 14, 2020. Since upgrading both software and hardware has an impact on a practice’s budget, it is a good idea to consult with an IT professional sooner rather than later, in order to plan for the needed changes.
Since many people tend to procrastinate on these types of upgrades, it may be difficult and more expensive to schedule IT support as the deadline gets closer. In addition, hackers will be prepared to exploit computers still running the unsupported software, which will make any computer running Windows 7 after January 14th an easy and preferred target.