HIPAA IT Compliance

IT service providers are typically considered “business associates” of their healthcare clients. HIPAA IT compliance requires them to comply with portions of HIPAA.

They are required to sign a “business associate agreement” with each healthcare client. These agreements contractually obligate the providers to protect the privacy and security of the ePHI they handle on the client’s behalf.

Furthermore, IT providers may need their subcontractors to sign a business associate agreement if they handle ePHI for the provider’s client.

The most relevant section of HIPAA for IT service providers is referred to as the Security Rule. The Security Rule sets broad requirements for protecting ePHI. For example, covered entities must:

  • Ensure the confidentiality, integrity, and availability of ePHI.
  • Protect ePHI from hazards and threats.
  • Protect ePHI from unauthorized use and disclosure.
  • Ensure workforce compliance with the guidelines.

Questions to Consider

Are your security policies considered compliant with data protection and privacy requirements?

Do you have security policies in place? If so, do these policies ensure that you are protecting PHI in accordance with HIPAA. Specifically, these policies will need to ensure that you rotate your keys for encryption of data at rest. You will need articulate that data in transit is encrypted via TLS/SSL. In addition, the policies will need to specify how you handle ACLs around PHI.

Are audits carried out to confirm compliance with information security policies?

Audits will need to be carried out internally under the guidance of your Chief Security Officer to ensure that you’re tackling the latest OWASP security vulnerabilities.

What is OWASP? Open Web Application Security Project (OWASP) is a non-profit organization dedicated to providing unbiased, practical information about application security. When your asked to run an external penetration test on your application, the vendor that you select to perform the test should test what is called the OWASP Top 10. The OWASP Top 10 represents a broad consensus on the most critical web application security flaws. The errors on this list occur frequently in web applications, are often easy to find, and easy to exploit. They are dangerous because they will frequently allow attackers to completely take over your software, steal data, or prevent your software from working at all.

In terms of vulnerability assessments, we typically point people to Rapid7’s Nexpose. Vulnerability management enables you to identify holes that hackers might at some point exploit. By identifying the holes before the hackers exploit them, you are given the opportunity to fill the holes.

Are third party suppliers audited to confirm compliance with information security policies?

Even the auditors need to be audited, you will need to able to say that the 3rd party suppliers are audited by your CSO or CTO.

Are vulnerability scans or penetration tests carried out on the external-facing network?

Vulnerability scans and penetration tests need to be carried out monthly on your external-facing network to ensure that no one can break in with non-zero day exploits.

Are these scans carried out by an independent third-party?

You don’t want to carry out your own scans. Leave this to a certified 3rd party.