[BreachExchange] Avoid These Common HITRUST Compliance Mistakes

Audrey McNeil audrey at riskbasedsecurity.com
Thu Sep 21 20:03:59 EDT 2017


https://www.healthitoutcomes.com/doc/avoid-these-common-
hitrust-compliance-mistake-0001

Healthcare data security is more important now than ever. The data breaches
in healthcare totaled more than 16-million records in 2016 alone, and
healthcare organizations remain an appealing target for hackers looking for
sensitive information.

In order to keep data secure, these organizations must comply with HIPAA
regulations, ideally through Health Information Trust (HITRUST) for
comprehensive protection. Because HIPAA regulations are often vague,
compliance mistakes are a common occurrence.

To improve cyber resiliency, follow these steps to avoid some common
HITRUST compliance mistakes.

1. Don’t Skip Risk Assessment

HIPAA requires all organizations to conduct risk analyses, because they are
essential for finding vulnerable areas within security systems, evaluating
risk levels and applying sufficient safeguards. When updating security
measures, a risk assessment is much more than just a preliminary step: it
is the groundwork for all the changes that will make an organization safer.

It’s also not possible to simply perform one risk assessment and call it a
day. As an organization changes and grows, it must continue to perform risk
assessments to ensure security levels continue to adequately protect
patients.

2. Don’t Duplicate Compliance Efforts

Many organizations that are trying to keep up with HIPAA also need to worry
about Payment Card Industry (PCI) compliance as well, and the two different
sets of rules are often treated as different initiatives within a
bureaucracy. However, they have many rules and requirements in common, so
in order to streamline efforts, make sure to evaluate and implement them
together.

3. If An Emergency Occurs, Use An Incident Response Plan

Believe it or not, some organizations develop incident response plans to be
activated in case of a data breach, but don’t utilize the plan once a
breach occurs.

During an emergency, it’s easy to panic and forget that there are
safeguards in place to protect the organization. Instead, make sure to not
only follow the plan and help minimize the damage before it’s too late, but
also practice the plan to be fully prepared in the event of a breach.

If no incident response plan is in place, create one as part of any new
security measures.

In order to efficiently comply with HIPAA regulations through HITRUST,
start with an independent CSF assessor, which can help evaluate your
organization’s current level of compliance and make the transition as easy
as possible.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170921/ec3c4414/attachment.html>


More information about the BreachExchange mailing list