Page 26 - index
P. 26
The Power of UDADS in HIPAA Compliance
As cyber threats proliferate across the globe in the past few years, HIPAA requirements have
increasingly become more stringent forcing companies that deal with private healthcare information
to take swift, compliant action. The goal for a healthcare organization’s business, audit, compliance,
risk, and security disciplines is to not only protect the information of both customers and employees
in their organization, but to also make the protection of such information a fundamental core
business principle that all companies that conduct business with the healthcare organization are
obliged to follow in order to prevent future data breaches and medical information thefts.
HIPAA compliance is no longer just an audit, compliance, and risk discussion; this is becoming an
overall business discussion. Following the 2014 data breaches of companies like Sony, JP Morgan
Chase, Goodwill Industries, and The Home Depot to name a few, any leniency that the Health &
Human Services Department once had for companies violating HIPAA requirements will likely
vanish. The tremendous publicity that data / security breaches outside of the HIPAA discipline have
generated will create more pressure on the Health and Human Service’s Office for Civil Rights
(OCR) to enforce HIPAA breaches. Interestingly enough, HIPAA has a plan to launch its own audit
program in 2015 which will audit all covered entities and their respective business associates.
With these upcoming audits and requirements, it is safe to say that the Health & Human Services
Department is looking to crack down on negligent, reckless healthcare data protection and cyber
security practices around HIPAA data. I expect updated HIPAA requirements and audit information
to be released in the upcoming months that will result in unplanned data protection and
cybersecurity initiatives becoming a boardroom topic to ensure their organization is compliant in
2015.
Over the years, I have developed a number of security and data protection programs for healthcare,
financial services, pharmaceutical, manufacturing, retail, and information technology industries.
What I have learned is that there are a few simple recommendations when developing a HIPAA
compliant program that fundamentally will provide the building blocks for successful HIPAA audits
and I call that UDADS. User; D – Data; A – Audit; D – Data ; S – Secure). Please note that data is
referenced twice – you will see why below.
User (employee, contractor, vendor, and third-party provider) authentication/authorization:
o Each system user should have a unique identifier (i.e. unique user name);
o Automatic Logoff: User’s session has to be terminated after a fixed time of inactivity;
- this can have a significant impact to business operations; therefore, make sure
business leaders / champions understand “why this is important to their business,
their customers, their brand”
o Backend part of the system must verify User’s permissions to execute an
appropriate operation and must allow it only for authorized Users – no “generic”
accounts e.g. user 1, admin 1)
o Web Application has to be protected from cross-site request forgery (CSRF) attacks
– this attack vector is still one of the simplest to protect against but often exploited
by cyber criminals
26 Cyber Warnings E-Magazine – February 2015 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide
