By Evan Houser and Mike Long
The Health Insurance Portability and Accountability Act (HIPAA) requires that all institutions that transmit, store, or processes any health information in electronic form, also known as electronic Protected Health Information (ePH), must fall under its compliance. As a result, these covered entities and business associates must be HIPAA compliant; failure to company can result in penalties defined by HIPAA being levied on an instituition.
We partnered with a software vendor, HIPAAtrek, to get our bearings and after several months of preparation we were ready to perform our first HIPAA assessment. We sought out various opportunities within the Fredericksburg area and ultimately collaborated with Fredericksburg Christian Health Center (FCHC) to conduct an assessment on their network. FCHC was chosen in large part due to their mission to the synchronicity between their mission to the Fredericksburg community and our SimV core values. FCHC is a non-profit organization that serves those who cannot afford health care with quality health care in the name of Jesus. They minister to the body, mind, and spirit in order for healing to come about in all three and it is their vision to see their patients and the community as a whole experience healing and wholeness through Jesus Christ. Their desire is not just to “…push patients through a broken healthcare system, but to partner with them to seek God’s healing, make lifestyle changes, and choose evidence-based interventions for preventing and treating illness or injury.”
Our goal was to use our collective knowledge to assess their risk and provide a comprehensive report detailing what we found. This would allow them to understand their risk exposure and determine how to mitigate or fully remediate issues to prevent a security breach. The assessment also protects FCHC from one of the most common hits the Office of Civil Rights (OCR) finds in their investigations – the failure to do an assessment.
Our assessment was comprised of a site visit that contained in-depth interviews with over 390 questions, facility checks, network vulnerability scans, and verification from IT service providers to develop a holistic approach to HIPAA compliance. We could not have completed this process without the efforts of Sarah Badahman, owner of HIPAAtrek. Her assistance in question formation, meetings, and knowledge dumps eased our dive into this area.
HIPAA assessments are very much like Risk Management Framework (RMF) on the DoD side. This is a knowledge-growing process allowing our customers to see where their risk areas are and receive recommendations of what to take care of first to get the most bang for the buck. In doing this, we are committed to providing our customers with visibility of their risk and showing the OCR, in case of an audit, that they have acted with due diligence.
Hacking of healthcare institutions is an area of concern which grows more and more each day. Each day an institution does not assess their risk profile is a day when a breach can happen. This can negatively affect the business and the customer. This, in turn, can affect the life of the patient. It is our job to provide our business associates the information they need to protect themselves and to protect the information of the patients.
John Lysher, VP of CSG, said, “This initial HIPAA assessment was the culmination of a vision CSG had many years ago to diversify into the healthcare arena because we recognized the inherent cybersecurity threats to this industry. The threat to our PII grows daily as we have transitioned to electronic medical records where our personal information is stored on a multitude of networks and in the cloud. Combating these threats aligns to the CSG’s mission while at the same time provides SimV with an opportunity for diversification into new markets!”
About SimVentions, Inc.: SimVentions is a 100% employee-owned, DoD contractor focused on developing, integrating, and transitioning new technology to our country’s warfighters. SimVentions’ corporate office is located at 100 Riverside Pkwy, Suite 123, in Fredericksburg, VA, 22406. Their Dahlgren office address is 17021 Combs Drive Suite D, in King George, VA, 22485 and their Virginia Beach office address is 468 Viking Dr #210, Virginia Beach, VA, 23452. For additional information about SimVentions, please visit https://www.simventions.com/.
SimVentions is always looking for qualified candidates across all disciplines to work in the Fredericksburg, VA; Dahlgren, VA; Washington, D.C.; Charleston, SC; and Virginia Beach, VA areas. Apply online at https://www.simventions.com/careers.
About HIPAAtrek: Founded by healthcare professionals, HIPAAtrek has attracted industry experts in HIPAA compliance and healthcare administration. Learn more at https://www.hipaatrek.com/#.