Below are the highlights from the 20th National HIPAA summit that just occurred.
Anyone know more abourt passwords needing to be 12 characters and not 8?
- The Privacy Rule: Don't surprise the patient with a use or disclosure they don't expect; "it's that simple,"
- HIPAA says you must get your health record when you ask for it; but some providers still think they don't have to give it to them on occasion
- If you don't encrypt a mobile device you are in violation because you have to put in reasonable protections; and encryption is the only protection mobile devices
- Take reasonable and appropriate steps to reduce risk; those terms are used throughout all pages of the privacy and security rule
- Don't just train once, "as some of you have done," Braithwaite said, widening his eyes at the audience. Do it at least annually and have training material reflect what you found in your risk assessment
- Username and password alone is not satisfactory protections for logging from a home computer
- 39% of privacy breach incidents on the OCR "Wall of Shame" (breaches of 500 or more website) have occurred on laptop or mobile device
- 88% of exposed records are mobile-media related
- Ponemon study says 60% of breaches have a strong malicious component
- Business associates involved in half of breaches
- You may have a great security plan, but it's as only as good as your incident response plan for breaches
- Where did attacks on your organization originate: is it internal or external? You may have to do forensic investigation and preservation.
- Containing a breach? Just because you block a certain IP address, if they're already in, it doesn't matter. You have to block them out.
- No. 1 failure we see on breach response? Failure to patch things.
- If you're running something like Windows 98, you may want to update that. Turn things on like failed log-in detection. It may not be a default feature.
- Physical security is a concern; a server is right behind a receptionist in a doctor's office - not good
- Any eight-character password can be broken in two hours. You need 12 characters these days; it takes 17 years to hack a 12-character password. "Eight-character passwords are dead," Nelson said.
- Have an exit/termination checklist. Did you get all keys, tokens, passwords, log-ins, disable remote access, when an employee is no longer with a company?
Touchstone Health Partners