The Health Insurance Portability and Accountability Act (HIPAA) was put in place in 1996 to continuously develop regulations protecting the privacy and security of electronic protected health information, or ePHI as it is commonly known.
It is predominantly broken down into two parts, the HIPAA privacy rule and the HIPAA security rule.
The privacy rule establishes national standards for the protection of certain health information whereas the security rule enforces a set of security standards for protecting health information that is stored or transferred in electronic form.
The rule applies to organizations which are referred to as covered entities, covered entities include Health plans, clearing houses and a myriad of healthcare providers such as doctors, nursing homes, dentists and psychologists to name a few.
The rule was developed by the US department of health and services, within the HHS, the office for civil rights (OCR) has the responsibility for enforcing the privacy and security rules and if violated, can (and quite often will) result in noncompliance penalties and fines imposed on the violating organisation.
The rule has had many adaptations since it went into effect in 1996, the last significant update to the rule in 2013. This is due to the advancements and evolution of technology that is changing the way in which individuals are interacting and gaining access to ePHI.
The most notable updates were made in 2003, 2006, 2009 and 2013.
How has HIPAA Changed Cybersecurity?
So, we know that in the cybersecurity world, a lot has changed since 1996, or even 2013 for that matter. We tend to see organisations today still heavily focusing on and investing in technology to protect their IT infrastructure from the outside in when really, we should be investing more time and money into protecting from the inside out.
From a technology perspective we see employees commonly utilising their own devices to gain access to this data, sometimes from unsecure locations outside of the corporate network.
Today we are more connected than ever, with access to an unmeasurable number of internet connected devices and applications generating and accessing vast amounts of personal data that could be easily intercepted if being accessed through an unsecure device, service or connection.
Healthcare data is high in value both from a monetary perspective and from an “Information worth publicising” perspective and Hackers understand this very well. The way in which they gain access to this data is more sophisticated than ever before. They are adopting traditional techniques in gaining access to the data such as social engineering and spear phishing attacks. The attacks are well thought out, advanced, targeted to specific individuals at specific times of the year within an organisation to yield maximum results in accessing data. This may be done by exploiting vulnerabilities to initiate a ransomware attack or stealthily gaining access to public health records to sell on for financial gain. Hackers may even just expose a targeted organisation to highlight the security flaws within their organisation.
How are Healthcare Organizations Coping with HIPAA?
In 2016 the number of healthcare records exposed was significantly improved compared to 2015, however, the total number of breaches reported by HIPAA covered entities and their business associates was the highest ever seen since the rule was enforced.
Some of those breaches include, Advocate healthcare with a $5.55 million settlement, Feinstein Institute for medical research with a $3.9 million settlement and the University of Mississippi Medical Center requested to pay $2.75 million.
In 2017 however, it is still too early to determine the total number of breaches reported as organisations have up to 60 days to report data breaches to the OCR, this means we will have to wait until next month to really know. We can, however, see the existing reported breaches are reduced compared to previous years. Despite this, there is still drastic improvements needed, as just this month Texas hospital (to name one of many) was penalised $3.2 million for HIPAA violations.
HIPAA Compliance – A Breakdown
The HIPAA security rule states that covered entities should:
- Ensure the confidentiality, integrity and availability of all PHI they create, receive, store and transfer
- Identify and protect against threats to the security and integrity of PHI
- Protect against prohibited use or disclosures of PHI
- Ensure all employees and business associates are trained when handling or interacting with PHI
Some aspects that the covered entity is required to consider when deciding the security measures to use are:
- The size, complexity and capability of the organisation
- The complete IT infrastructure including all hardware and software
- The cost to implement the appropriate security measures
- The likelihood and possible impact of the potential risk to protected health information
Approaching HIPAA in your Organization
As the threat landscape evolves and new technologies are introduced it could be understood that an organisations approach to being HIPAA compliant should also evolve. We suggest that for the interest of the organisations and the responsibility they have to their patients, clients and business partners they regularly review, adjust and implement continuous security controls to harmonise with the rule. A suggested approach could be:
- Perform a periodic risk analysis within your organisation
- Regularly review all administrative, physical and technical safeguards surrounding PHI
- Continuously audit and review identities, systems, access attempts and privileges surrounding PHI
- Educate employees and business associates on the importance of integrity and security surrounding PHI
The HIPAA rule is extensive throughout the privacy and security rule and each section is clearly broken down into parts and subparts. Through the general administrative requirements, LepideAuditor predominantly helps with part 164 – security and privacy, subpart c – security standards for the protection of electronic protected health information.
How LepideAuditor Helps Meet HIPAA Compliance
164.308 & 164.312 Facilitating Administrative and Technical Safeguards
Here are a few examples of how we help with the Administrative Safeguards in the HIPAA security rule:
- Holistic view of activity across all systems surrounding PHI
- Identify and automate the protection of inactive user identities within Active Directory
- Full audit trail of access levels, access attempts and modifications on the data and surrounding systems granting access to the data
- Immediate breach notifications based upon unusual levels of activity or anomalous behaviour
- Automatic response mechanisms to a potential data breach or attack
- Restoration capabilities surrounding unauthorised group membership adjustments and group policy modifications
- Audit reports to clearly demonstrate permission changes over a given period
- Provide full details of all changes taking place across your IT infrastructure
- Identify system access attempts through logon/logoff activity
- Automate the generation, schedule and delivery of audit reports
- Role Based Access to audit data
164.316 Policies and Procedures and Documentation requirements
- Automate the generation, schedule and delivery of audit reports and alerts
- Archive the audit data for as long as required or recommended
- Customizable data search to provide bespoke evidence to the OCR
In conclusion, although we’ve not seen individual data breaches to the scale they were reported (in size) in 2015, through 2016 we saw the highest number of individually reported incidents indicating there is still extensive room for improvement around the protection of healthcare data in the US. We can also assume that the HIPAA rule will naturally evolve alongside the technological and social world therefore, so should our approach and attitude. By adopting and embracing these compliance regulations, we are protecting our organisations, our patients and our customers to build trust and confidence throughout.