HIPAA Compliance vs. Security…Why Not Both?
Happy Birthday, HIPAA! An Ode to the Intersection of Compliance and Security
The recent celebration of HIPAA’s birthday inspired us to write a blog for our healthcare customers regarding HIPAA compliance. In this blog, you’ll read a high-level overview of HIPAA’s history, the top 3 patterns for data breaches impacting healthcare organizations according to the 2020 Verizon Data Breach and Incident Report, and how to reduce the impact of a data breach. For additional help and resources, contact our security experts to learn more.
The Health Insurance Portability and Accountability Act (HIPAA) turned 24 years old on August 21, 2020. As is typical on birthdays, it is a great time to reflect on the regulation and where healthcare organizations struggle, even when demonstrating compliance. Despite its age and general reputation as a strict Federal regulation protecting patient medical records, it seems like the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) continually announces fines levied against organizations for violating HIPAA. The OCR levied over $15 million in penalties, just in 2019 alone. Comparatively speaking, 2020 has seen a relative downturn in the fines’ total dollar value, with “only” $1.1 million in fines as of August 2020. Many healthcare IT professionals and healthcare information security professionals view HIPAA compliance as a “check-the-box” exercise as opposed to a piece of a bigger effort, which includes ensuring the security of the organization’s electronic Protected Health Information (ePHI). But it is time to acknowledge that, as anyone 24 years old believes, it is grown up and should be taken seriously.
HIPAA Privacy Rule and Security Rule
HIPAA was enacted on August 21, 1996, when President William Clinton signed the legislation into law. At its core, HIPAA is primarily made up of the Privacy Rule and the Security Rule. Compliance with the Privacy Rule was required by all healthcare organizations by 2004, while compliance with the Security Rule was required by all healthcare organizations by 2006.
The Privacy Rule establishes a set of national standards for safeguarding individually identifiable protected health information (PHI) by covered entities, such as: health plans, health care clearinghouses, and health care providers that perform health care transactions electronically.
The Security Rule also establishes a set of national standards for safeguarding the confidentiality, integrity, and availability of ePHI. While the Privacy Rule sets the standards for who will have access, the Security Rule sets the standards of safeguards around that data, including administrative, technical safeguards, and physical safeguards. For example, a doctor needs to have access to a patient’s health data. However, if that doctor switches roles or leaves the practice, they should no longer have access to patient data. There needs to be administrative, physical, and technological actions that will prevent future access to that data. Think of the Privacy Rule as the list of attendees to the party, while the Security Rule is the bouncer.
When a HIPAA Data Breach Happens
According to the 2020 Verizon Data Breach Investigations Report 13th Edition (DBIR), the top three account for 72% of the healthcare data breaches.
It is important to take a closer look at these patterns (plus an additional pattern added by this author) while also examining potential safeguards.
1. Miscellaneous Errors are unintentional events that lead to cybersecurity incidents or the unauthorized disclosure of data. In the healthcare sector, this includes accidentally sharing medical records with the wrong patient and improper disposal or storage of PHI. This can also include the release of intellectual property, employee data, organizational financials, etc. The often-used cliché in the cybersecurity industry still holds true — people are the weakest link in any discussion about safeguarding sensitive data, especially PHI or ePHI. Healthcare organizations are especially prone to eschewing standard information security practices in support of convenience and speed. Cultivating a workplace culture and atmosphere where data privacy and security preparedness are held in the same high regard as patient care and safety should be the goal. To achieve this goal, Security Awareness Training and Education for healthcare employees must be formalized and nurtured on an ongoing basis to reduce the instances of miscellaneous errors. Knowledge is power, and equipping employees with the right security knowledge can prove to be an important benefit.
2. Web Application breaches are attacks against internet-facing applications (e.g., patient portals). According to the DBIR, attacks against web applications generally leverage vulnerabilities in the application code or the infrastructure supporting the application. Healthcare organizations typically operate in a manner where most of the funding supports patient care activities, and rightfully so. However, non-patient care operations such as Information Technology and cybersecurity may not receive the funding and associated support that organizations need to operate securely. Many organizations, especially in healthcare, typically do not have the ongoing resources to stop all attacks against applications. As such, organizations should focus on reducing the potential impact of an attack by ensuring they have deployed a robust continuous monitoring vulnerability management program.
3. Everything else is a broad category meant to encompass activities like Phishing and Social Engineering. Everyone is susceptible to being socially engineered, given the right circumstances. Scammers and attackers maximize their phishing attacks based on seasonally themed events (i.e., tax season, elections, etc.). Even large-scale events such as COVID-19, September 11, 2001, terrorist attacks, natural disasters, and others can be common for those looking to exploit through social engineering tactics. Healthcare workers are ripe targets for phishing campaigns and social engineering based on their role within the organization and their access to highly-sensitive data. For example, many healthcare employees have access to information like intellectual property, PHI, employee data, organizational financials, etc. In July 2020, Twitter was hacked via phishing. In this particular social engineering attack, a 17-year-old convinced a Twitter employee that he was a co-worker in its Technology Department. Similar to what was noted within Miscellaneous Errors, the best safeguard or countermeasure for phishing and social engineering is ongoing and formalized Security Awareness Training and Education for healthcare employees. Formalized training helps reduce the potential of falling prey to a phishing attack or social engineering scam through enhanced awareness and vigilance.
4. One more party crasher not mentioned in the DBIR, but that we feel deserves to be on the list is Third-Party Risk Management (TPRM) or Vendor Management. A chain is only as strong as its weakest link. This notion holds true with healthcare organizations that rely on third party suppliers to carry out its health care functions and activities. The Privacy Rule requires healthcare organizations to receive assurances from suppliers or business associates that the supplier will protect the data it receives from the health care organization or any data it creates on behalf of the health care organization. The Privacy Rule’s expectation is that all assurances are documented as a contract or agreement between the health care organization and the business associate. Unfortunately, HIPAA goes no further in requiring healthcare organizations to perform an initial review or continuous monitoring of suppliers and vendors. Cybersecurity best practice suggests that organizations should have a TPRM program that ranks vendors based on the services provided, and the types of data they have might be accessing. These risk ratings help healthcare organizations focus the necessary time and attention on those vendors where it is needed. For a deeper dive into inherent risk tiering, consider reading this blog by Adam Cummings Inherent Risk Tiering for Third-Party Vendor Assessments.
While security needs to be overarching to any organization’s structure, the reality is that errors happen, and breaches need to be resolved as quickly as possible. Here are high-level tips for avoiding potential HIPAA violations.
Manage Risk. Perform a thorough risk assessment of your environment in compliance with the Security Rule. Let the results of that assessment guide you in terms of where to best devote your limited time and resources. Document those results and update your risk assessment at least annually.
Encrypt, Encrypt, Encrypt. While the Security Rule cites that encryption implementation is addressable and not required, health care organizations should opt to encrypt their data with an industry-standard encryption algorithm, such as AES 256, and strictly manage the decryption keys. If an organization cannot implement encryption, devalue the data by other means, such as tokenization.
Back it Up. Back up all your data and often. Malware is constantly evolving. Do not allow your environment to be held hostage by ransomware because your recovery processes won’t bring your systems back to a last known good state that is not recent enough to support patient care and business operations.
Log it. Ensure that all systems are configured to display a warning banner notifying users that all access is monitored and tracked. Log all activity and perform regular system log review.
Awareness Training. Level up your security awareness training and education program to include refresher training on the importance of data privacy for all employees with a special emphasis on employees that have access to ePHI.
TPRM Program When considering outsourcing or engaging a third-party to perform a service or activity on behalf of your healthcare organization, ensure that proper due diligence has been completed. Once fully engaged with that vendor, calculate the associated risk to dictate the depth of the ongoing review and frequency.
Seek help: There are many cybersecurity consulting firms, like MindPoint Group, that specialize in cybersecurity. We’ve helped customers improve their security posture and we can use our wealth of knowledge to help healthcare organizations like yours. You don’t have to go it alone!
There are no magic buttons that will instantly yield HIPAA compliance. At its foundation, HIPAA compliance has always been about performing the basics of information security to ensure patient medical records are safeguarded. From an information security perspective, compliance with a regulation such as HIPAA should never be the organizational goal. Rather, the goal should be to ensure the security of the data and (HIPAA) compliance will follow. Compliance is only the beginning; security of the data should be the ongoing mission. So once again, join me in wishing HIPAA Happy 24th Birthday. Let’s have some cake!
As a healthcare organization, are you struggling with ensuring the security of ePHI data you create, store, or transmit? Let the data privacy and information security subject matter experts at MindPoint Group help you secure your data, improve your overall security program and posture while enabling your organization to demonstrate compliance with HIPAA. Contact us to learn more.