This week on the HIPAA Vault Show, we’re chatting about the biggest boo-boos website developers and owners tend to make when setting up a healthcare website under HIPAA rules. We’ve got some helpful tips to help you avoid these blunders and keep your site on the up-and-up. Tune in and let’s talk!
Transcript:
Adam
Hello and welcome to the HIPAA Vault Show, where we discuss all things HIPAA compliance in the cloud. Last week we talked about website tracking when it comes to HIPAA. This week, we’re going to talk about the top three mistakes to avoid when setting up your healthcare site. Joining to help me with this and for us to go through the main mistakes that users make when it comes to setting up healthcare sites is our CTO and founder of HIPAA Vault, Gil Vidals. Hey, Gil.
Gil
Hey, Adam. Looking forward today’s meeting?
Adam
Yes, absolutely. So Gil, let’s dive straight into it. When it comes to mistakes to avoid when a website developer or a website owner is looking to set up their healthcare site for HIPAA compliance, what should they look out for?
Gil
Yeah. This great topic, Adam. Thank you for putting this together. I think that the top four that we’re going to focus on today, I would say at the very top of this would be not enabling the two factor authentication. I’ve come across so many sites that have protected health information, and they don’t turn on the two factor authentication, which for those that are less familiar, when you sign in, you put in your username and your password. That’s the typical. And then you hit submit. And when you hit submit, it sends a code to an email or a phone. And then you type that code in, you get in. So it’s another layer of security. And I’ve seen too many times where that hasn’t been enabled. And it’s not something that hard. The developers should be able to do that pretty easily.
Adam
Okay. And that’s enabling two FA for users that are logging in to develop or patients.
Gil
Oh, good point. That would be really for the application. So the application is meant for the end user. Whoever the end user could be, the doctor, the patient, whoever’s using the application, they should have to put in the two factor.
Adam
Okay, makes sense.
Gil
And then the developers, that’s really another topic, so we’ll save that for later. But the developers, however, they log in to program and transfer their code. That should also be two factor. But right now we’re focused mainly on the end user of the application.
Adam
Got it. Okay, so two FA for users that might have any access to protected health information, what’s next?
Gil
Well, since we started with technical, I think we should also stick with the next item is technical, and that’s to ensure that a vulnerability scan is run on a regular basis. The vulnerability scan is an application that scans the website. Typically it’s a website. The web application scans it, and then it produces a report. And the report shows any vulnerabilities that were discovered during the scan. And that’s very important because you could take that scan even if you’re not technical. Let’s say you’re a business owner, business manager, you should still be the one responsible to ensure that scan is run and that it’s delivered to the developers, the system administrator, and then they should look through that and patch any of the vulnerabilities.
Gil
Now, as a business owner, the stakeholder, every month, they should look at that report and say, hey, wait a minute, last month I saw these vulnerabilities. This month I see the same ones that would tell the manager that those particular vulnerabilities were not remediated, they weren’t closed. So then they can talk to their team and say, hey, these seem to be open month after month. We need to work on these and get these vulnerabilities closed up. And I would say it should be done monthly. I guess if you were super busy or just wanted to do it less frequently, then probably quarterly would be the next benchmark for that.
Adam
So make sure not to skip out on regular vulnerability scanning.
Gil
Yes, that’s right.
Adam
All right, that’s pretty clear. What else is there?
Gil
Well, those two were technical, so let’s take off our technical hat and we’ll put on our business hat. So from the business point of view, it’s important that the stakeholders have a business associate agreement signed with the cloud provider, the hosting provider, and that document, the Baa, as it’s called, business Host Agreement, is required for anyone who has a application that has protected health information. And then they’re going to be subcontracting or picking a vendor that’s going to host the site, whoever that vendor is, they should have a business associate agreement with the stakeholder, the main owner. And that’s an important step. It’s a legal requirement, so you want to make sure you do it for that reason. But secondly, it’s a signal to you as the stakeholder when your vendor, wherever your website lives, they say, yes, we’ll sign it.
Gil
Then you have a good signal, meaning that this company knows what they’re talking about, they’re willing to sign it, they’re willing to accept responsibility for their end of the deal if they don’t know what it is, like, what are you talking about? Or whether refuse to sign it or they don’t reply back. Those are bad signs. You should walk away from that and say, I’m going to move somewhere else. So that’s an important document to make sure you have that in your file.
Adam
All right, fantastic. So that’s the top three mistakes to avoid when setting up your healthcare site. Gil, I know that we like to add as much value as possible on these videos, so I thought we could add maybe a fourth bonus. Bit of advice. What do you have for us there?
Gil
Well, I’m just looking over here to pick there’s so many that we can go through, but these are really what we think the top three or four, the next one would be the DIY. Those are your do it yourselfers. Those people that say, I’m going to save the money, I’m going to do this myself. Wow, what a can of worms, right? Pandora’s box. As soon as they say we’re going to do it ourselves, very difficult. So if a stakeholder is non technical, going to be next to impossible. Even if they are technical, they won’t have the time and probably not even the experience, because you really need a compliance manager that knows compliance.
Adam
Yeah, I always say that the problem with sorry to interrupt, but the problem with DIY do it yourself is that you have to do it yourself, which, like you said, opens up a whole can of worms.
Gil
Yes, that’s true. And the compliance manager is a professional that knows about how to ensure that compliance and the regulatory side of things is being met. And that’s a whole skill set. So you want to choose a cloud provider, hosting provider that has a compliance manager on board who will be looking at the vulnerability scans each month, do the remediation and manage that whole process. So that’s a good thing to ask, by the way, we give another good tidbit of advice. That is, when you are searching for a home or your website that has health information, simply ask the new provider, well, what’s the name? Or who is your compliance manager? An easy question. And if they can’t give you the name, then they probably don’t have one. And then the next question asks, can I meet with them?
Gil
I’d like to meet with them. I’d like to talk to them before I sign up for your services. And if you can’t meet with them, let’s say they do have one, and you see his picture or her picture on the website, but you’re not allowed to meet with them, they won’t give you the information. That’s not a good sign, because inevitably, through the course, through your journey of managing that website and you being the owner, you’re going to want to talk to the compliance manager from time to time. And so if they don’t allow you to do that, then that’s not good either. So I would definitely look to having at least an initial meeting with that person.
Adam
Fantastic. Thank you for the insights there, Gil. So, just to sum up, the top three plus one mistakes to avoid when you’re setting up your healthcare sites. Number one, enabling two, factor identification for all users that are accessing any sensitive information, making sure that you have a Baa in place with the cloud provider that’s hosting the website, vulnerability scanning on a regular basis to make sure that any changes or vulnerabilities are found with the website and remediated consistently with HIPAA. And then the fourth and final one is avoid do it yourself. We have a question for the audience today, Gil, and that is, what mistakes have you come across making when setting up your healthcare site, if any? Leave us a comment and we’d be really interested to hear about it.
Adam
You can also ask us any questions you might have, send them by email to podcast@hipaavault.com or tweet us at @hipaahosting. And that’s it for this episode. Make sure to subscribe and leave us a review if you enjoyed this episode. Until next time, thanks for stopping by.