HIPAA TIP: Cybersecurity Questions to Ask Your IT Company

  1. Ask about multifactor authentication and where it would be possible to implement. This could be on email accounts, logging in remotely to the business, connecting to a cloud EMR or Practice Management system/application, or third party vendors connecting to the organization’s environment.
  2. Request information on backups that are being completed by the IT company. How many sets of backups are occurring (onsite, offsite, second offsite location – 3-2-1 rule)? How frequently are backups tested? What is the retention policy for backups (a month, a year)?
  3. What is the protocol for patching/updating devices to include workstations, laptops, and devices that are being used remotely? How frequently is the firmware for firewalls and wireless access points checked for manufacturer updates?
  4. Confirm what devices (workstations, laptops, servers) have encryption installed/enabled. What is the level of encryption being used? AES 256-bit encryption is considered a strong, robust encryption standard.
  5. If your IT company supplies the organization with security awareness training is this sufficient, or would additional training be beneficial? Are test phishing emails sent out on a regular basis to all staff? Does the training also include cybersecurity training?
  6. Ask your IT company to provide the organization with regular lists of active users in the Windows Operating System, to ensure staff that have resigned or been terminated are disabled. Include a review of all users and vendors/third parties that have remote access into the network.

HIPAA compliance isn’t a one-time checklist. It’s ongoing, programmatic in nature, and requires demonstrated reasonable diligence to stay in good standing with the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR). Anatomy IT can provide you peace of mind with our expert HIPAA compliance services. To learn more, contact us here.