Every organization, regardless of market sector or business size, must secure its data to minimize data leakage and other security incidents. The importance of data security in healthcare is compounded by the need to comply with the Health Insurance Portability and Accountability Act (HIPAA). This article describes data protection strategies and tactics healthcare organizations can use to comply with the key provisions of HIPAA, and explores the most common threats to data security in healthcare.
HIPAA data security and privacy rules
Technical professionals in healthcare organizations are responsible for protecting healthcare information against security threats and security risks. Both external hackers and malicious insiders are constantly attempting to gain access to electronic protected health information (e-PHI), usually for financial gain from selling the information, identity theft or blackmail. Protected health information comprises all information that relates to a person’s past, present or future health or condition (mental or physical). This includes data about medical services rendered, payments for health care and health insurance benefits.
HIPAA was enacted in 1996 to force healthcare organizations to improve their data security. It includes multiple requirements that govern how healthcare organizations must work with healthcare information. For example, they must protect the privacy of personal health information by restricting the use or disclosure of that information without patient authorization.
HIPAA includes two key components: the Privacy Rule and the Security Rule.
The HIPAA Privacy Rule regulates who can have access to PHI and how it can be used and disclosed. The key requirements are as follows:
- You must implement policies and procedures that restrict access to and use of protected health information based on employees’ roles. Protected health information should not be accessible to any employee who doesn’t need access, such as an office manager or a security
- You must implement policies and procedures that limit use and disclosure of PHI to the minimum necessary. For example, if an insurance company needs a person’s name, Social Security number and details of their most recent medical procedure, the privacy rule requires you to not send the person’s entire medical records.
- You must obtain a person’s authorization in writing use before disclosing their protected health information. For example, if you plan to send personal health information to a pharmaceutical company, you need to obtain the person’s authorization in writing first.
There are potential civil and criminal penalties for not adhering to the HIPAA Privacy Rule. While some states have their own rules, HIPAA is a federal requirement that overrides conflicting rules at the state level. Covered entities under HIPAA include not only healthcare providers like hospitals and nursing homes, but also health plans (health insurance companies, HMOs, etc.) and healthcare clearing houses (entities that process health information they receive from other entities).
HIPAA Security Rule
The HIPAA Security Rule requires healthcare organizations to protect ePHI using appropriate administrative, physical and technical safeguards. Specifically, the Security Rule requires covered entities to do the following:
- Ensure the confidentiality, integrity and availability of all e-PHI they create, receive, maintain or transmit. This rule requires you ensure data confidentiality, integrity and availability (CIA, or the “CIA triad”). Let’s look at the rule’s component individually:
- Confidentiality. You can help ensure confidentiality by implementing security controls such as access control lists (ACLs) and encryption. Encryption provides higher security and confidentiality than ACLs. Other security controls or software are often layered on top of ACLs and encryption; these can include configuration management software, monitoring and alerting software, and auditing software.
- Integrity. Data integrity means that the data hasn’t been altered. For instance, if a man-in-the-middle attack intercepts and alters data before sending it to its original destination, the data doesn’t have integrity. One way to ensure integrity is to use a digital signature or a hash. For data stored in databases, you need to ensure entity integrity, referential integrity and domain
- Availability. Sometimes people forget that availability is a key element of data security. To ensure people can access the data they need, organizations can implement various solutions, such as replication from the primary data center to a secondary data Load balancers, redundant hardware and other strategies can also help ensure high availability.
- Identify and protect against reasonably anticipated threats to the security or integrity of protected information. This rule requires some interpretation. Many organizations error on the side of caution and include as many threats as possible, going so far as to include their entire supply chain or restrict the use of mobile devices in certain areas of their facilities. This strict interpretation helps ensure they meet the security rule requirements. In any case, reasonable threats certainly include improper data modification, unauthorized data access and data These and other threats are discussed in more detail later this article.
- Protect against reasonably anticipated impermissible uses or disclosures. This rule is also open to interpretation. Is it reasonable to anticipate that an employee might reveal protected health information to a patient’s friend? Might a doctor report some patient records or patient health details to the media if a celebrity is being treated? This rule might require you to consider such cases.
- Ensure compliance by their workforce. This rule covers some of the administrative safeguards needed to adhere to the Security Rule. To ensure compliance, you need to educate your workforce. They should understand at a high level what HIPAA is and the role they play in compliance, as well as your organization’s security policies and procedures. Repeated training throughout the year is needed to ensure employees learn about new requirements or methods. Be sure to implement regular testing as well, and follow up with additional training for individuals who need it.
HIPAA Enforcement Rule
Beyond the Privacy Rule and Security Rule, you should also be familiar with the HIPAA Enforcement Rule, which concerns compliance, investigations and penalties.
The Health Information Technology for Economic and Clinical Health (HITECH) Act expands the scope of HIPAA. It promotes the use of electronic health records, increases liability for non-compliance, regulates breach notification, and requires certain business associates of HIPAA-covered organizations to comply with HIPAA.
Strategies for HIPAA Compliance
Clearly, HIPAA compliance is a complex undertaking and the risks for failure are high. There are multiple resources that can help you achieve and maintain a HIPAA-compliant IT environment.
The National Institute of Standards and Technology (NIST) establishes national standards and offers free IT security resources, such as frameworks like the NIST Cybersecurity Framework. Their introductory guide can help your organization comply with the HIPAA Security Rule.
The Health Information Trust Alliance (HITRUST) is a non-profit organization whose mission is to help organizations safeguard their sensitive data. Their Common Security Framework (CSF) is a framework that makes it easier for organizations to comply with HIPAA and other laws, and it offers good interoperability with other frameworks and standards. While HIPAA is not a certifiable standard, healthcare organizations can become HITRUST-certified.
Biggest threats to the security of healthcare data
The healthcare industry faces many of the same threats to data security as other sectors. The primary difference is that for healthcare organizations, healthcare data is usually the ultimate target, rather than trade secrets or financial records. Here are the top threats and potential security incidents:
- Data breach. In general, when someone accesses information without authorization, it is a data breach, whether the person is an insider with malicious intent, a hacker or just an overly curious employee. However, the following cases of PHI disclosure are not considered data breaches under HIPAA:
- A person accidentally accesses or uses PHI “in good faith and within the scope of authority” and does not further disclose the PHI in a manner not permitted by the Privacy Rule.
- An authorized person accidentally discloses PHI with another authorized person at the same organization and does not further disclose the PHI in a manner that is not compliant with the Privacy Rule.
- An authorized person disclosed data to someone improperly but believes in good faith that they will not be able to retain the data.
When organizations discover a data breach, they must provide breach notification as specified by the HIPAA Breach Notification Rule.
- Data exfiltration. Data exfiltration is the copying of information to an unauthorized location. Most cases of data exfiltration involve copying data to an unauthorized location outside of the organization. Other common terms for this are data leakage and data exfiltration. The data breach notification rule applies to data exfiltration as well as data breach.
- Ransomware attacks. Ransomware is a type of malicious software that denies you access to a computer or data on that computer by encrypting the data. To get your data back, you must either pay a ransom or restore from backup. Ransom payments are often arranged through untraceable digital currencies, such as Bitcoin. According to Coveware research, healthcare ranked third among industries targeted by ransomware attacks in 2019. This situation is unlikely to change for the better, because attackers understand that the urgency of restoring data required for medical treatment means they are more likely to get paid. However, paying the ransom does not guarantee you’ll actually get a decryption key; therefore, the best strategy for ensuring you can recover from ransomware attacks is having offline backups.
- Other cyber threats. A variety of other cyber threats put healthcare organizations at risk. While many attacks aim to steal electronic healthcare data, others strive to take devices, systems or services Healthcare organizations are top targets for all sorts of cyber attacks, since, as noted above, lack of availability of crucial systems or data can lead not just to fines and reputation damage but poor healthcare outcomes and even loss of life. Adoption of new technologies expands the attack surface; in particular, cloud security is an increasingly important concern for the healthcare sector.
Some healthcare organizations rely on internal IT teams to handle most of their technical needs, while others count on service providers or product vendors to implement or support their security management initiatives. No matter which strategy you choose, to properly protect PHI and comply with HIPAA, you need to make sure that both you and all of your business associates are taking the required measures to minimize the risk of health information being improperly disclosed, stolen or encrypted.