Complying with HIPAA isn’t enough to protect health care organizations

By Jessica Salerno-Shumaker, OSCPA senior content manager  

Compliance and cybersecurity in health care must work together to be successful.  

“You can be fully compliant, but your organization might not be secure,” said Mike Moran, president of Affiliated Resource Group. “And you can have a great suite of IT security protection programs in place that may not be compliant.” 

Moran said if a healthcare organization is fully compliant but doesn’t have proper cybersecurity in place, a ransomware attack could render their systems inoperable and leave them open to HIPAA violations. But if a healthcare entity has only focused on cybersecurity and not taken care to ensure they are fully compliant, they could be breaking other health care laws. He will discuss cybersecurity and compliance at the Oct. 19 Health Care Conference.  

From a risk management perspective, Moran said, leaders need to work with both sides to ensure a thoughtful approach is taken by everyone to understand different roles and responsibilities.  

“Get an actual risk assessment,” he said. “A HIPAA risk assessment goes through the specific policies and procedures, and many organizations don't have those policies and procedures formalized. But getting a risk assessment and looking your exposures should be done annually, and it should be more than just answering a question checklist.”  

Moran said in the last few years, cyberattack insurance claims have gone up exponentially, and “…the insurance providers are shifting that risk back to their policyholders by requiring them to do specific cybersecurity things to improve their protection so that their organization is more secure.”  

HIPAA rules will continue to evolve, Moran said, as cloud technology progresses. Health care organizations will need to regularly consider if the technology they have is being used effectively and if it’s being protected effectively.   

“Buying the tools alone is not going to guarantee your success,” he said. “You must configure those, you must constantly monitor those, and you must act on the information. You must have people that are trained and experienced at doing those things.”  

The relationship between compliance and cybersecurity should not be overlooked, Moran said, and although he said there might be “some fatigue” on the conversation, leaders must continue to improve processes.  

“The bottom line is you're expected to provide a reasonable level of due care over the data and the information you have about your patients and your residents,” he said. “It's your responsibility to manage that protected data with a reasonable level of due care.”  

Register for the conference here.