CAST Case Study: Multi-Year Strategic Plan Yields HIPAA Compliance

CAST | February 14, 2018 | by Donna Childress

The Asbury Group and BlueOrange Compliance help Broadmead improve cybersecurity and compliance.

In a recent CAST case study, Broadmead, a LeadingAge Provider Member life plan community, wanted to protect its residents’ electronic protected health information (ePHI) and comply with the HIPAA Security Rule. 

First, this community in Cockeysville, MD, asked critical questions. Where do we start without in-house expertise? How do we leverage technology to aid in the effort? How can we afford the high cost associated with compliance? 

Ultimately, Broadmead partnered with LeadingAge CAST Patron The Asbury Group Integrated Technologies (Asbury-IT). Together, they enhanced compliance, system security and information privacy, cybersecurity resilience and business continuity, and more.

A Phased Approach

Working closely with the Compliance Committee, Asbury-IT laid out a phased approach encompassing four elements:

  • Education: Asbury-IT educated Broadmead on the different project phases, the Security Rule, and potential options for compliance. 
  • Cybersecurity Maturity Assessments: Asbury-IT conducted a foundational assessment to establish the baseline for Broadmead's cybersecurity maturity.
  • Corrective Action Plan: This new plan was risk-based and focused on technologies that required minimal overhead. Because Broadmead was a very immature cybersecurity environment when it first partnered with Asbury-IT, the cost of compliance seemed prohibitive. In the first year of a strategic multi-year plan, Broadmead focused on low-cost corrective actions. More-expensive technologies were budgeted for future years. 
  • HIPAA Security Rule Assessment: In 2017, with Broadmead’s cybersecurity maturity at a higher level, Broadmead and Asbury-IT partnered with LeadingAge CAST Supporter BlueOrange Compliance for a HIPAA Security Rule and risk assessment, which confirmed that Broadmead's cybersecurity plan and approach were successful.

Outcomes

Outcomes were positive and included avoidance of data breaches and consequent penalties, avoidance of ransom, catching phishing/hacking attempts, protecting lost/leaked data, and enhanced system security and information privacy. The effort also improved Broadmead’s cybersecurity resilience and business continuity, compliance, and staff education about data security and privacy.

Lessons Learned

Broadmead learned that planning for, phasing, implementing, monitoring, and operationalizing a cybersecurity plan to ensure readiness with the HIPAA Security Rule can overwhelm IT departments, and many lack a trained cybersecurity officer. Organizations facing this challenge should bring in an experienced partner to assess their maturity and recommend a cybersecurity corrective plan of action.
 
The community also shared these lessons learned and pitfalls to avoid:

  • The corrective action plan is dynamic; it will change along the way as technology, the nature of threats, and the economy change.
  • Focus on ensuring that your foundational IT is an enabler to cybersecurity.
  • Prioritize tasks by risk.
  • Secure C-Suite sponsorship and support, which is essential to clearing hurdles.
  • Don’t go “down the rabbit hole” trying to make everything perfect.
  • Don’t buy into cybersecurity product marketing hype.
  • Don’t go it alone if you lack subject matter expertise.

Read the full case study

Interested in Cybersecurity?

Make sure you attend CAST’s Technology Forum educational sessions, and visit the Cybersecurity Zone in BaseCamp, at the PEAK Leadership Summit. The summit will be held March 18-21, 2018, in Washington, DC.