This leaves them spending much of their time focusing on securing the new technological system, servers and network infrastructure, while worrying about policies later. According to a recent GovInfoSecurity report, policies are still a critical consideration when it comes to HIPAA compliance, and organizations need to focus on breach notification processes.
In an interview with the news source, industry expert Brian Dean explained that developing a breach notification team and system is among the greatest challenges medical providers face when developing healthcare IT systems. While this is primarily a policy-focus area, technological considerations also come into play because systems that monitor the IT configuration also play an integral role in identifying when a breach has occurred.
Dean told GovInfoSecurity organizations need to focus heavily on testing when it comes to breach notification. He explained that the team and technologies supporting it should run through a simulated breach at least once a year and make sure they are equipped with the necessary systems and policies to support their efforts.
When asked how businesses should go about developing their breach response team, Dean highlighted a diverse range of methods that can successfully prepare a healthcare provider for a breach. However, he recommends developing a system that is not tied to a single department so it is not inherently connected to a specific part of the organizational chart. The key, in all of this, is to have the types of skilled personnel available within an organization to respond to a breach appropriately.
"Organizational savvy is often lacking, and what I mean by that is having people at the table who understand the organizational structure and are savvy enough to know who needs to be at the table in the event of a breach. All breaches come in different shapes and sizes and having the right people at the table to triage that is imperative," Dean told GovInfoSecurity.
Businesses can ease their breach notification burdens by outsourcing services and data storage to a HIPAA compliant hosting provider. This gives them access to outsourced resources designed specifically to meet HIPAA requirements and help medical providers manage their IT systems and policies more effectively.