The healthcare industry, like most others, is obsessed with compliance.
And that makes sense. After all, fines for HIPAA non-compliance are at an all time high, so who wouldn’t make it a top priority?
But as we already know, compliance doesn’t equal security. Thousands of HIPAA compliant healthcare organizations are breached every year, and unless the framework is dramatically tightened in the near future the same will be true in 2017.
Equally, though, HIPAA compliance is 100 percent non-optional. No matter what other security measures you take as a healthcare organization, satisfying HIPAA compliance will always be a priority.
To help you navigate the healthcare security landscape, we’ll take a look at the requirements for HIPAA compliance… and where we think they fall short.
Concerned about ransomware? To understand how ransomware can damage your organization, and what you can do to stop it, download our definitive guide.
Assessing the HIPAA Security Framework
First off, it’s important to specify what we’re talking about. The HIPAA compliance framework has three primary sections, or ‘rules’:
HIPAA Security Rule - The minimum standards for protecting Electronic Protected Health Information (ePHI)
HIPAA Privacy Rule - How ePHI can be used and disclosed
HIPAA Breach Notification Rule - Steps that must be taken in the event of a breach
In this article we’ll be covering the security rule exclusively, which in turn has three sections: technical safeguards, physical safeguards, and administrative safeguards.
But before we get to that, let’s address a serious underlying problem.
The HIPAA framework is exclusively concerned with protecting ePHI, not with security in general which makes sense. After all, the Department of Health and Human Services (HHS) didn’t put the framework in place to protect healthcare organizations, but to protect healthcare users.
Put bluntly, the HHS doesn’t care if your organization is breached so long as no ePHI is compromised.
Keeping this firmly in mind, let’s move forward.
Technical Safeguards: Cyber Security 101
Chief among the requirements of the HIPAA security rule are the technical security controls that must be in place. Once again, you’ll immediately notice that the requirements are all based around maintaining the security and integrity of ePHI, not about preventing cyber attacks altogether.
- Access Control - There must be a centrally controlled system for allocating unique usernames and password facilities to each user. You must also have provisions in place to disclose ePHI in the event of an emergency.
- Authenticating ePHI - You must have a system in place to track access, alteration, and disposal of ePHI.
- Encryption - Whenever ePHI (including emails) travel beyond the confines of your network, they must be encrypted to National Institute of Standards and Technology (NIST) standards until they reach their intended recipient.
- Activity monitoring - There must be a record of who accesses ePHI, when it is accessed, and what it is used for.
- Automatic log-off - After a predetermined inactivity time limit, users should be logged out of sensitive systems.
Of course, there’s nothing wrong with these requirements. All of these facilities should be in place at any organization that routinely handles sensitive information.
However, they’re far from enough.
For instance, a very simple network security protocol could check all these requirements, but totally fail to defend against even the simplest cyber attack. Any threat actor, using freely downloadable exploit kits targeting known vulnerabilities in commonly used software, could compromise such a network in minutes.
And the worst thing? Unless ePHI was accessed directly via a (likely compromised) user account, you’d never even know.
Physical Safeguards: A Perennial Problem
For most industries, keeping unauthorized personnel away from secure areas is fairly easy. In healthcare organizations, though, people are wandering around all the time, and it’s much harder to identify who should or shouldn’t be allowed to access a certain area.
But once again, the HIPAA framework is only concerned about ePHI. As a result, the requirements focus heavily on securing servers, workstations, and mobile devices.
- Facility access controls - There must be a record of all personnel who have physical access to locations where ePHI is stored. This includes all staff, so don’t forget about cleaners, maintenance people, etc. Your processes must also include mechanisms to prevent unauthorized access, alteration, or theft.
- Workstation use - Use of workstations that can access ePHI must be restricted, and precautions must be taken to prevent screens displaying ePHI from being overlooked. An acceptable-use policy that covers these workstations must also be in place.
- Mobile devices - If you allow users to access ePHI via mobile devices, you must determine how that ePHI will be removed before the device is reused.
- Hardware - You must maintain an inventory of all hardware on which ePHI can be accessed or stored, and record the movements of each device. You must also make an exact copy of ePHI before a device is moved.
Once again, there would be huge problems with any healthcare network that exclusively focused on these controls. For a start, as we’ve mentioned several times before, medical devices pose a substantial threat to network security, but aren’t mentioned at all. They don’t directly interact with ePHI, but could still be used by a threat actor to gain unauthorized access to your network.
These safeguards also do nothing to prevent the single biggest cause of healthcare breaches: Physical loss or theft of devices.
Administrative Safeguards: Bringing it all Together
In essence, the HIPAA administrative safeguards are the framework inside which your other controls operate. In fact, if you do these right, you’ll start to see precisely why compliance is nowhere near enough.
Before anything else, you must appoint a security officer, who will hold ultimate responsibility for ensuring your organization meets its compliance obligations. Due to this, he or she will have to implement the following.
- Risk assessment - A risk assessment protocol must be in place, covering every area in which ePHI is being used. These assessments must identify all the ways in which a breach of ePHI might occur.
- Risk management - Risk assessments should be completed periodically, and the identified risks must be addressed.
- Security awareness training - This is a big one. You must train all employees to operate in a security conscious manner. They must understand your security policies, and adhere to security procedures. All of this training must be documented.
- Emergency planning - In case of emergencies, you must have a plan in place to maintain critical systems and processes while ensuring the integrity or ePHI. You must also have backups in place to restore ePHI in the event it is lost.
- Testing - Your emergency plan must be tested periodically to ensure it is fit for purpose.
- Third parties - ePHI must not be accessed by unauthorized third parties. If it must be accessed by third parties, signed agreements must be in place.
- Reporting - All employees (not just your security team) must know how and when to report security incidents, so that action can be taken to prevent a breach.
In all honesty, compliance wouldn't be a requirement if every healthcare organization enacted these administrative safeguards thoroughly. After all, a comprehensive risk assessment completed by a security professional would quickly identify dozens of necessary controls that aren’t mentioned at all in the compliance requirements. Compliance would be a byproduct of an effective security program.
But, of course, when organizations are focused purely on compliance, that doesn’t happen. Instead, many healthcare organizations have historically done the bare minimum required to comply with HIPAA requirements.
So is it any surprise, really, that 90 percent of healthcare organizations have been breached in the past two years? Or that nearly half have been breached five or more times in that period?
Ultimately, in order to move forward, the healthcare industry must acknowledge that HIPAA compliance is not enough. If your organization is ready to take a more active approach to cyber security, we’d love to help.
If you're considering Security Awareness Training, watch this on-demand webinar on "The Rise of Spear Phishing and How to Avoid Being the Next Headline."
To find out how you can dramatically reduce your organization’s chances of being breached, get in touch today.