The intersection of HIPAA compliance and data security

Between credit card data and digital health records, cybercriminals prefer the latter. A stolen credit card can be canceled. Electronic protected health information (ePHI) with its a treasure-trove of personally identifiable information offers a higher value on the Dark Web.

HIPAA compliance, specifically its Security Rule, establishes standards for protecting individuals’ electronic personal health information and provides administrative, physical and technical safeguards. HIPAA’s Security Rule dovetails nicely with IT security best practices.

Former Acting Deputy Director for HIPAA at the Department of Health and Human Services (HHS), Iliana L. Peters, spoke at our recent user summit on data security and patient safety.

Here are four takeaways from Peters’ presentation.

Importance of risk analysis
HIPAA requires healthcare entities to conduct an accurate and thorough assessment. The assessment is designed to reveal the potential risks and vulnerabilities to the confidentiality, integrity and availability of ePHI held by the organization.

According to Peters, organizations frequently underestimate the proliferation of ePHI within their environments. ePHI data exists in applications, computers, medical devices, message apps, mobile devices, memory cards, backup tapes and more, plus third parties who store, process or transmit ePHI data. A risk analysis must identify all ePHI created, maintained, received, or transmitted, regardless if the data travels inside or outside the organization.

Your risk analysis might also uncover the absence of business associate agreements. It’s a frequent flashpoint for OCR settlements. Many HIPAA violations come from a failure to have business associate agreements in place to govern the handling of personal health information.

“Before you disclose ePHI, you must have agreements in place with covered entities to maintain ePHI security and HIPAA compliance,” Peters said.

Defend against social engineering
Healthcare organizations and business associates with ePHI are the target of choice for cybercriminals. All organizations should follow cybersecurity best practices and focus on employee training to combat social engineering. For healthcare and related entities, it’s mandatory.

Like all businesses, healthcare organizations are subject to phishing attempts and ransomware attacks. That explains the importance of conducting a risk analysis and employee training. If you know where ePHI is vulnerable, you can take steps to address with IT defensive measures. The best defense against ransomware is a multi-pronged backup and recovery strategy.

Peters also stressed the importance of software patching and maintaining a patching schedule. Regular software updates help address security flaws favored by hackers.

Another must for cybersecurity is employee training such as simulated phishing attacks. Peters cites resources in her presentation like FTC’s Start with Security and OCR’s YouTube channel.

Address insider threat challenge
Healthcare also has an insider threat challenge. Peters refers to it as employee snooping. Whether it’s out of curiosity or for illicit gain, individuals without authorization gain access to patient data. It’s not just inappropriate access that could well result in a HIPAA violation. It can lead to criminal activity that captures the attention of state attorney generals.

According to Peters, one of the biggest risks of insider threat is when employees leave, and yet still have access to ePHI for data days or even weeks later. Check controls, policies and procedures that govern employee access to patient data. Given departing employees present a security risk, you should terminate their access immediately upon surrendering credentials.

Perform comprehensive, enterprise-wide risk management
Peters advocates that healthcare organizations seek out solutions that can perform comprehensive, enterprise-wide risk management. She also recommends outside counsel and cyber insurance that can help with things like post-incident forensic investigations.

Since the majority of OCR settlements relate to risk management, protecting ePHI data is an organizational priority. Compliance, legal and IT need to be connected and conversant. Stakeholders like department heads and the board require access to information without delay. HIPAA compliance demands record-keeping and accountability.

You also need a way to centrally locate and connect controls, policies, procedures and documents like business associate agreements. And it’s mandatory that you follow IT security best practices and training. You can manage all the above in a GRC platform that can perform integrated risk management.

Watch Peters’ presentation to delve deeper into the intersection of HIPAA compliance and data security. We just scratched the surface here with the importance of risk analysis, social engineering best practices and comprehensive, enterprise-wide risk management.

Related Articles