The importance of compliance in data centers

Thursday, December 15, 2016

Companies need to take their cybersecurity measures seriously, and they can start by working with data centers that also place considerable weight on their IT security efforts. Failing to do so could not only cause these companies to lose critical data and customers, it could also result in hefty fines levied by state and federal governments for not operating in compliance with HIPAA regulations.

"Many companies fail to take the proper steps to prevent breaches."

Unfortunately, many companies fail to take the proper steps to prevent breaches, whether they're by nation-state warriors, terrorists or "hacktivists." They fail to align themselves with data

centers that understand how to protect critical data, which we'll discuss more of shortly.

Companies need to work with data centers that take progressive measures to defend themselves and their data. These centers should have the following, as outlined  by the Practical Law Company:

  • A cybersecurity team led by a chief compliance officer. The team's role is to not only prevent cyberattacks but to also ensure the company is in compliance with HIPAA standards.
  • A response plan that not only outlines how to help the company recover but also to reach out to those affected.
  • A practical understanding of how cyberattacks work and how IT teams can block them.
  • An agreement in place to comply with employee, company, and state and federal regulations, and ensure your workforce also understands them.

What happens if a breach occurs?
Companies that fail to act swiftly and appropriately after a breach can face severe financial repercussions. which spotlights just how critical it is they work with a center that knows how to keep even the most sophisticated cybercriminals at bay.

Take for example St. Elizabeth's Medical Center in Brighton, Massachusetts. The center violated HIPAA regulations regarding electronic Protected Health Information and was fined over $218,000. The Office for Civil Rights, according to Modern Healthcare, found that St. Elizabeth's used an internet-based document-sharing application to store electronically protected health information of nearly 500 individuals "without having analyzed the risks associated with such a practice."

Scary stuff.

But it only gets worse. The OCR said that nearly 600 people were affected when an employee placed patient-identifiable health records on a laptop and USB flash drive. These items were later stolen.

"OCR's investigation determined that SEMC failed to timely identify and respond to the known security incident, mitigate the harmful effects of the security incident, and document the security incident and its outcome," OCR said, per the source. "Separately, on August 25, 2014, SEMC submitted notification to HHS OCR regarding a breach of unsecured ePHI stored on a former SEMC workforce member's personal laptop and USB flash drive, affecting 595 individuals."

On average, according to Modern Healthcare who cited a report Skyhigh Networks, healthcare businesses use just under 930 cloud-based services without permission from their IT departments.

While some companies may be able to take this kind of financial hit, other's simply can't. That's why they should not only upgrade their current IT security systems, and take the time to understand and abide by HIPAA regulations as well, they must also work with data centers who can securely store their data. Placing ePHI information on laptops or flash drives is unacceptable, as you can see.

How should companies properly navigate a financial breach?
While every company will act differently after a cyberattack, a great way to figure out how you should act is by examining successful case studies. Here's one:

Health Access Network fired an employee because she improperly accessed important patient clinical information, noted its CEO, according to Nick Sambides Jr. of BDN Maine Health.

The center took action within the allotted 60-day requirement to act, which was set down by HIPAA, by reaching out to the Department of Justice and U.S. Attorney General's office, and also sending out letters to the 500 patients who were affected. They did not send letters to those whose files weren't breached.

"Health Access files made sure they were in compliant with HIPAA."

"Our investigation required a detailed review of every patient record this employee had accessed during the time of her employment. That's our reason for it," Chief Executive Officer Bill Diggins said, according to BDN Maine Health. "We did enough of an investigation to see if there was proof. We did not know what the total access was, and we had to review every file she had contact with or opened. Then we had to determine whether her access was appropriate, and that took until the letters went out."

Health Access files made sure it was compliant with HIPAA rules, and there's a very good chance the company will avoid paying fines.

What are the next steps?

In this article, we've discussed everything from why companies should place tremendous value in cybersecurity protocols to what happens if they don't.

If you're revamping your IT security efforts, here's the steps we suggest you take:

  1. Analyze your current IT defense systems.
  2. Examine your IT team to ensure it's following compliance protocols, and bring on a chief compliance officer to oversee IT security operations.
  3. Create a plan that details how your company should respond to a breach.
  4. Instruct all employees in your company (not just IT personnel) about proper HIPAA regulations and violations.
  5. Constantly review your IT security efforts. Technology and processes become outdated quickly, especially because cybercriminal​s are always evolving and becoming more advanced.
  6. Work with a data center that also has many of these systems, processes and regulations in place. They too should have an expert IT team on hand to prevent breaches, use top
    IT security programs and have a plan of action in case a breach occurs.

We're sure you can think of many more ways you can keep your data center protected, but the point is this: IT security should always be at the top of your to-do list.