NIST OCR Security Conference part 2This is the second episode covering the things David has to share from the NIST OCR Security conference: Safeguarding Health Information. There are many great points he picked up. As we review them, we keep coming back to the reminder that HIPAA is about patient care now.  Join us as we discuss everything from ransomware requirements to security for a small practice all in one episode.

HIPAA For MSPs by J. David Sims NIST & OCR Security Conference - Part Deux
00:00:00 00:00:00

NIST and OCR Security Conference Part Deux

Cybersecurity is not just an IT responsibility.  Everyone must participate in security for it to be successful.

Ransomware must be treated as a potential breach and requires LoProCo just like any other security incident.

Breaches of 500 plus patients this year are keeping OCR busy.

OCR watches the news – if you are on the news it is likely that you should have reported it to HHS. They will be very unhappy if they learn about a major issue they expect to be hearing from you about it.

The headlines everyone talks about with OCR enforcement are the big settlement announcements.  In reality though less than 1% of the cases that OCR investigates end up with a monetary penalty.

Encryption is not a be-all-end-all solution to security.  Yes, you should be encrypting your devices.  Definitely, encrypt anything that moves and has data or access details on it.  However, there is a misconception that encryption protects against all types of security incidents.  If you are logged into a computer working the encryption is essentially turned off so that you can work.

HIPAA certified is not a thing. OCR reiterated that fact. The FTC may investigate claims of being HIPAA certified or guarantees of HIPAA compliance.  Notify OCR or the FTC if you feel someone is making these claims in a fraudulent manner.

OCR made it clear that there is not a model security risk analysis. They do not offer them because everyone should be different.  Each organization looks and works differently.  Therefore, the security risk analysis will not be exactly the same for each one.

A self-audit is not a security risk analysis.  A security risk analysis looks at more than just a checklist of what you are supposed to do under the HIPAA security rule.  It also covers more than the technical safeguard requirements.  Evaluate all the places that PHI is created, received, maintained, or transmitted and work from there.

Managing top risks in healthcare.

It is not about compliance it is about patient care.  We say it but there were points that reiterated that in this conference.

Deceptive vendors beware – the FTC is coming for you.  After the findings in the eClinicalWorks investigation, the FTC is very aware and interested in what these vendors have been doing and claiming.

HIPAA is not a goal with an ending it is an ongoing process.  There is no destination point where the process ends.  It is not a once a year activity.  HIPAA is an everyday process.  That is what makes it so hard when you get asked how much is this going to cost me from beginning to end.  There really isn’t an end. Just by asking the question you know you need to do a lot of education with this group.

Reducing risk for small practices was a specific session at the conference.  A major point of that discussion is that they stated clearly that awareness and education are the most cost-effective measures for protecting your valuable assets.

Phishing training is a great way to help protect yourself.  Many major breaches involved some phishing email that lit the fuse.


Finally, we reach the end of our reverse hosting episodes.  OCR NIST Security conferences are always very informative and help us learn about the trends and activities of those setting direction for HIPAA and cybersecurity in general.