HIPAA TIP: Essential Cybersecurity Practices

Implementing cybersecurity best practices is crucial for individuals and organizations to protect themselves against cyber risks. A strong foundation includes identifying, assessing, and responding to risks, considering the likelihood of events and their potential impacts.

During the annual HIPAA Risk Analysis, it’s essential to compile a list of risks or vulnerabilities to electronic Protected Health Information (ePHI) and Protected Health Information (PHI). This includes data stored in various formats, such as paper charts, computers, servers, web or cloud-based software systems, applications, cell phones, and machines or devices storing ePHI, like diagnostic machines and multi-function copiers with hard drives.

To secure ePHI and PHI, consider the following:

  1. Use unique IDs and passwords for all operating systems and applications containing ePHI; avoid shared or generic accounts.
  2. Implement a strong password policy, requiring passwords to be a minimum of 8 characters, avoiding the use of first and last names. Pass-phrases are even better. Ensure there are restrictions on password reuse (e.g., cannot reuse the last 7 passwords or never reuse passwords).
  3. Implement an account lockout policy for systems and applications containing ePHI (e.g., after 3-4 failed login attempts) and auto-lock accounts after 10-15 minutes of inactivity.
  4. Educate staff about being cautious before clicking on links or opening attachments in emails to prevent phishing attacks.
  5. Update software regularly and decommission all out-of-date or end-of-life devices.

These practices are essential for maintaining the security of ePHI and PHI and reducing the risk of cybersecurity breaches.

HIPAA compliance isn’t a one-time checklist. It’s ongoing, programmatic in nature, and requires demonstrated reasonable diligence to stay in good standing with the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR). Anatomy IT can provide you peace of mind with our expert HIPAA compliance services. To learn more, contact us here.


Dawn Meglino

HIPAA Compliance Specialist, CHPSE, CCSA, CCAP