If you are required to be HIPAA compliant suffering a data breach from either outside of your network or from within is probably going to only be the start of your problems. If 500 or more patient records were compromised you will have to disclose that and from that point on the entire incident will be a matter of public record.
Putting the breach aside and the extremely bad publicity you will have to deal with a government audit. They will want to see technical procedures and know what you were doing to protect patient health records. Your business or medical practice could get hit with serious fines if, for example, you didn’t have anti-virus software running on a PC that has access to your file server or patient database.
Here is just a basic list of what you or your IT company should be doing to protect your network
WiFi: Do you know if your wifi network that you share with guests also has direct access to your network? Your guest wifi should be separate and internal wifi should have an obscure SSID name and a complex password.
Anti-Virus Software: Not only do you need to have AV software running on all of your workstations you need to prove it. Your AV software should be monitored and updated.
Backup: Your backup should be HIPAA compliant as well meaning it needs to be at least 256 bit encrypted while in transit and at rest. If you are backing up to a local USB drive that is required to be encrypted as well.
Screen Saver Passwords: All workstations should have a password protected screensaver that times out pretty early that forces someone to log back in when they want access.
Laptops: Laptop hard drives should be encrypted as well in case they are stolen.
The lesson here is wherever there is patient health information that device, platform or storage needs to be secured and protected at all times.
If you are a medical practice or a company in the New York City area that needs to be HIPAA compliant and would like a free consultation please contact us.