HIPPA Compliance
Securing your data through managed encryption.
PC Tech Troop partners with Beach Head to provide Simply Secure, which is a managed encryption solution to protect your data. Proof of encryption is vital in preventing breaches and avoiding the exposure of fines from HHS. The ability to remote lock or wipe devices is extremely important in the task of securing data.
Click here to find out how this works?
Risk Assessments:
Risk assessments are required by HHS at least annually, when changes are made to your network and on many other occasions. PC Tech Troop utilizes scanning utilities to aid in a proper risk assessment and remediation reporting. We partner with RapidFire Tools because they offer the most comprehensive Risk and Compliancy Management solution available.
Encrypted Email
Encrypted email is a legal requirement for many industries. We offer a mix of solutions to meet those requirements. Please contact a team member to learn more.
Training Courses
Training and proof of training is vital in minimizing potential breaches and fines from HHS. We partner with 4Medapproved to provide training solutions to our clients. Please click on the 4Med logo below to find courses and gain access to discount codes you can utilize.
Click below to know more
What sets us apart from other MSP companies.
Standard solutions we implement at Medical and Dental offices.
Here are a many security measures we put in place to follow best practices at our client’s offices:
- Encryption at rest: Not only is the server encrypted, but each workstation is encrypted with managed encryption running on it. This allows for reporting and proof of encryption in case of an audit. With this solution a system is automatically locked down if invalid credentials are inputted too many times. Remote lockdown can also be initiated if a system is compromised, lost or stolen.
- Backup and emergency mode: With on site servers, we have an appliance sitting next to it that takes care of backups, retention and emergency mode initiation if necessary. Not only does this allow for the appliance to be enabled in minutes, if the primary server goes down for any reason, but it is replicated in the cloud in case the entire facility is down. The entire solution is encrypted at rest and the data in transit is also encrypted, to meet compliancy. This solution protects the practice from accidental or intentional deletion of data, virus/spyware issues, corruption of data due to hardware failure or cyberattacks, and if equipment is stolen or destroyed from any disasters. The off-site replication allows the server to be spun up virtually in the cloud, so you can access important data while a re-instatement of your local environment can be implemented.
- Firewall with security services: A firewall with security services is installed. Subnetting non PHI devices and running a firewall with scanning of packets, prior to entering the internal network, is critical for compliancy. Threats are constantly being developed and deployed by foreign actors as well as others trying to compromise company networks. This is why having a subscription based firewall, that is up to date, helps stop new threats that are introduced regularly.
- Encrypted and scanned email: We integrate an encrypted email solution with scanning to address threats through email and adhere to compliancy regulations. HHS requires email, used to communicate with patients and other providers that contains PHI, be encrypted and scanned for security purposes. Many threats can be kept out of entering the network by having email go through security scans, prior to being seen by a staff member. Many phishing and other dangerous emails can be tagged or quarantined to help minimize exposure.
- Risk assessments and remediation: A risk assessment and remediation must take place at a covered entity. This should include vulnerability scans and other tools to identify risks and develop remedies to improve the security and compliancy environment. This is an ongoing process, since new security threats are introduced regularly, and HHS requires this.
- Compliancy officer: We help the covered entity designate and properly train a compliancy officer. It is a legal requirement to have someone designated as the compliancy officer. That staff member must obtain training for the role, have it well defined and they must have the authority to carry out that role.
- Policy and Procedures: We work with the compliancy officer to develop written policies and procedures. This is vital since HHS requires it and it is needed so the staff knows what the policies and procedures are to maintain HIPAA compliancy protocols.
- Hardware and software: We help implement equipment that is kept up to date, by performing updates and reviewing manufacturers warranties. We work to meet or exceed requirements for use in medical environments.
- Security software: We implement and maintain security and scanning software that meets or exceeds best practices to help protect security and data integrity. It is critical to use software that properly scans for threats on individual equipment, and it must be updated regularly, with a subscription base model, to catch the latest challenges that arise.
- Maintenance: Our managed solution not only meets best practices by having our team monitor items, like patch management, but we have an additional NOC center as a second set of eyes, to keep things running smoothly.
- Business Associate Agreements: We signed a BAA with our client’s offices and we maintain BAA signed with our vendors or 3rd parties used to secure the environment. Many practices violate both state and federal law by hiring an IT company that either does not sign a BAA, or legally should not have signed one. We carry $2 Million of insurance just for cyber and compliancy areas, as well as implement stringent security measures, as a medical practice or covered entity would.
A Starting Point to Become HIPAA Compliant
I have listed some of the steps to getting started but have assumed you have had your patients already sign a privacy agreement, which most practices have.
- The first step you should be doing is appointing a HIPAA officer internally to handle the overall process.
- The second thing you should do is make sure that person is educated and trained to handle the position.
- The third item would be to put your compliancy book together with all your procedures and policies.
- The fourth step would be to have the HIPAA officer train your staff on the Policy and Procedures.
- The fifth step would be to make sure you have all your business associate agreements signed and placed in your book.
The next step would be to have someone do a Risk Assessment which is a required step. After the Risk Assessment a Risk Management Program should be developed to address what was found in the Risk Assessment. Then you should make a plan to implement the solutions, which need to be completed for compliancy and to minimize your risks. Usually this stage will include the remaining portions of your requirements which include having an emergency mode developed along with backup and disaster recovery scenarios.
Remember you need to follow through with your policies and procedures as well as document/log everything for auditing purposes to remain compliant.
We can assist you in performing a Risk Assessment and developing the remaining steps to reach compliancy. Please contact us with any questions, or to schedule an appointment for us to meet with your office to help you through this challenging process.