Five worthy reads is a regular column on five noteworthy items we discovered while researching trending and timeless topics. In this week’s edition, let’s explore the role of HIPAA compliance in the cybersecurity era.
HIPAA stands for the Health Insurance Portability and Accountability Act, a federal statue in the United States which mandates data protection by anyone or any organization that creates, stores, transmits or uses an individual’s protected health information (PHI). This privacy rule ensures each individual’s rights over their own health information. A lot of PHI is stored on endpoints like local drives, hard disks, cloud storage and USBs. Protecting this sensitive data from attacks is the healthcare industry’s biggest challenge. PHI identifiers include any demographic information like name, photos, Social Security number, birth date, contact number, email address, medical records number, biometric elements, which are used to identify an individual.
There are two entities in HIPAA that needs to be compliant; one is covered entities, and the other is business associates. Covered entities are healthcare providers, health insurance plans, and healthcare clearing houses that are directly involved in the creation of PHI. Business associate is any organization that is hired by the covered entity or another business associate to handle the PHI, which commonly include MSPs, EHRs, medical billing services, cloud storage providers, and shredding services.
HIPAA trainings are widely mandated in companies that deal with PHIs. It provides the necessary guidance on the permitted uses and disclosure of PHI, how to protect it, and what to do when it’s breached. Even with mandated HIPAA trainings, annual assessments and audits, and data protected by today’s heavy encryption methods, does the 25-year-old HIPAA keep up modern cybersecurity trends? Are HIPAA regulations sufficient to prevent the data leakage and attacks?
A recent industry study states that 82% of healthcare organizations globally have endured an IoT cyberattack during the past 1 1/2 years and there was a 40% increase in average weekly cyberattacks on all organizations globally from 2021, compared to 2020. HIPAA laws were established in 1996 and these old guidelines can reduce the cybersecurity attacks, but might not be sufficient to provide the best safeguards. While some regulation revisions have been enacted, the HIPAA rules have not keep pace with what’s required from a technology perspective. When the 2009 HITECH Act became law, four years passed before the 2013 HIPAA Omnibus Rule became effective and it has been more than seven years since the next major update. On January 5, 2021, a new law was signed amending the HITECH Act. The HIPAA Safe Harbor Bill will incentivize organizations to voluntarily adopt best cybersecurity practices.
Here are five interesting reads on the role of HIPAA compliance in the cybersecurity era.
Being HIPAA compliant not only saves your organization from hefty fines from the federal government, it strengthens your network security and protects sensitive data from unwelcome eyes. There are three parts to HIPAA compliance process; first is the documentation process that involves a risk assessment to identify what changes need to be performed, second is conducting annual training for your employees on both HIPAA and the organizations’ security policies and procedures, and third, is implementation.
In the digital era data breaches are always on the rise which clearly states just being HIPAA compliant is not enough. HIPAA sets the minimum standards for security but it doesn’t guarantee protection against hacks and breaches. Healthcare organizations must invest in blooming technologies like cloud-based environments, taking control of assets and limiting access, enforcing a risk management protocol and a robust security policy.
In the cybersecurity era, sensitive patient data is saved and maintained digitally and protected from hackers, identity thieves, and spammers. With the growing threat, healthcare organizations are investing highly in cybersecurity and hiring cybersecurity experts whose role is to keep the data protected and make sure it is available only to authorized personnel. The HIPAA privacy rule might help with security, but it seems to meet only the minimum standards. Organizations must take actions beyond basic HIPAA compliance to ensure their security is protected from an increasing number of threat actors. The National Institute of Standards and Technology (NIST) publishes the guidelines and framework for the organizations. Together, the HIPAA security rule and NIST’s framework help organizations reduce cybersecurity risks.
At the core of HIPAA is a security rule, also known as the Security Standards for the Protection of Electronic Protected Health Information, that discusses safeguards that need to be in place for organizations to best handle electronic protected health information. This is best understood in conjunction with the privacy rule, also known as the Standards for Privacy of Individually Identifiable Health Information, created to make national standards that ensure that confidential health data is properly protected. This article addresses insider threats and personnel training as two strategies to increase healthcare cybersecurity. Crucial for maintaining HIPAA compliance, cybersecurity requires organizations to look at insider threats as much as external threats and educate individuals on the best ways to detect and report it.
The healthcare sector is a prime target for cybercriminals. Unlike in banking and other sectors, medical identity theft might not be immediately identified and stopped by the patients or healthcare providers, often giving cybercriminals years to milk the identity of a patient’s credentials. This makes medical data 50 times more valuable to cybercriminals than credit card information. Healthcare organizations can take advantage of the new HIPAA Safe Harbor law enacted that takes into account that cyberattacks are not always preventable and hefty fines are not a solution or remedy. This law amends the HITECH Act and requires the US Department of Health and Human Services to recognize the existing good cybersecurity practices that an organization has in place when investigating a data breach and to be more lenient with penalties, as appropriate.