What does Cybersecurity have to do with HIPAA?
In today’s world of electronic health information (E-Health), HIPAA is much more than simply doctor’s charts and ID cards. The repository of healthcare data on an individual can range from personal and anecdotal, all the way to private and even sensitive information. The digital revolution has taken customer, insurance, and provider information into the cloud, and while this makes medical history easily accessible to those who need it for proper care, it also increases the potential risk to said information.
The U.S. Department of Health and Human Services (HHS) has gone to extreme lengths to ensure that E-Health data is securely recorded, stored, and transmitted. With a majority of data collection in an electronic format, the HIPAA Security Rule strives to ensure all parts of the system are in compliance, to ensure all involved employees are trained on the appropriate handling of data, and to ensure that companies are apprised and able to respond if/when a data breach occurs. The healthcare industry is constantly evolving, and so is the cybersecurity sector.
Who has all of this information, and what are their responsibilities?
A Primary Care Provider will be responsible for the generation and storage of a majority of this sensitive information, but there are several other entities with similar responsibilities. Dentists, Chiropractors, Insurance Companies, Nurses, and Clearinghouses are all held to the same HIPAA Security Rule requirements.
How tangible is the risk to my clients?
While the HIPAA Security Rule requires a minimum level of security, all involved must take care to remain vigilant with E-Health data. Achieving HIPAA compliance for your company is not a ‘final step,’ remaining alert and informed of emerging risks is a continual process. In the first half of 2023 alone, 295 data breaches have compromised over 39 million individuals and their E-Health data. While a data breach in and of itself is a major problem, there exists a severe financial impact on the responsible institution whose information was breached.
In a study published by the HHS, the average cost of a breach for a healthcare organization can exceed $400 per patient record exposed. This same study goes on to explain that those organizations able to address and report a breach within 100 days saved $1 million, while those prepared enough to take action and report within 30 days saved another $1 million.
The financial impact, however, goes far beyond settlements, fines, and architecture repair. The most prolific single breach occurred in 2015, when nearly 79 million individuals’ private information was compromised in the Anthem/Blue Shield cyberattack. While Anthem only had 37 million active enrollees nationwide in 2015, this breach included historical patient data all the way back to 2004. The fines and settlements totalled a staggering $56 million, though this figure is not all-inclusive. Anthem also provided Identify repair and protection, as well as credit monitoring to each impacted individual.
Arguably the most well-known data breach began in 2017, with the introduction of the WannaCry ransomware. Hundreds of thousands of machines and networks were compromised, affecting 150 countries. While not specifically an E-Health motivated attack, the WannaCry worm did not discriminate between industries and machines in its proliferation. One of the most impacted organizations was Britain’s National Health Service, who reported 88 of the 260 healthcare trusts in its system were affected. Aside from the aforementioned financial impact, this attack locked patient records and images behind a Bitcoin ransom. This led to delays in non-essential surgeries, thousands of canceled appointments, and diverted ambulances to unaffected facilities.
What does the HIPAA Security Rule actually entail?
Risk Analysis and Management:
Administrative Safeguards provisions in the Security Rule require covered entities to perform risk analysis as part of their security management process.
- The risk analysis process includes, but is not limited to:
- Evaluate the likelihood and impact of potential risks to E-Health data.
- Implement appropriate security measures to address risks identified.
- Document the chosen security measures and, where required, the rationale for those measures.
- Maintain continuous, reasonable, and appropriate security protections.
- Security Management Process – A covered entity must identify and analyze potential risks and implement appropriate security.
- Security Personnel – A covered entity must designate a security official responsible for developing and implementing security policies and procedures.
- Information Access Management – The standard limiting of E-Health data to the “minimum necessary” individuals.
- Workforce Training and Management – A covered entity must provide appropriate supervision, as well as dissemination of appropriate training for all workforce members.
- Evaluation – A covered entity must perform periodic assessments of its security policies and procedures.
- Facility Access and Control – A covered entity must limit physical access to its facilities while ensuring that authorized access is allowed.
- Workstation and Device Security – A covered entity must implement policies and procedures to specify proper use of and access to workstations and electronic media. A covered entity must also have in place policies regarding the transfer, removal, disposal, and re-use of electronic media.
- Access Control – A covered entity must implement technical policies and procedures that allow only authorized persons to access E-Health data.
- Audit Controls – A covered entity must implement hardware, software, and/or procedural mechanisms to record and examine access and other activity in information systems.
- Integrity Controls – A covered entity must implement policies and procedures to ensure that E-Health data is not improperly altered or destroyed.
- Transmission Security – A covered entity must implement technical security measures that guard against unauthorized access to E-Health data that is being transmitted over an electronic network.
Required and Addressable Implementation Specifications:
- Covered entities are required to comply with every Security Rule “Standard.” However, the Security Rule categorizes certain implementation specifications within those standards as “addressable,” while others are “required.” The “required” implementation specifications must be implemented. The “addressable” designation does not mean that an implementation specification is optional. However, it permits covered entities to determine whether the addressable implementation specification is reasonable and appropriate for that covered entity. If it is not, the Security Rule allows the covered entity to adopt an alternative measure that achieves the purpose of the standard, if the alternative measure is reasonable and appropriate.
- Covered Entity Responsibilities – If a covered entity knows of an activity that constitutes a material breach or violation of the HIPAA obligations, the covered entity must take reasonable steps to end the violation.
- Business Associate Contracts – HHS developed regulations relating to business associate obligations and business associate contracts under the HITECH Act of 2009.
Policies and Procedures and Documentation Requirements:
- A covered entity must adopt reasonable and appropriate policies to comply with the provisions of the Security Rule. A covered entity must maintain, until six years after the last effective date, written security policies and written records of required actions.
- A covered entity must periodically review and update its documentation in response to environmental or organizational changes that affect the security of E-Health data.
What to do with all of this information?
The HIPAA security rule is designed to protect patients, practices, and all of the personnel in-between. The complexity of the requirements is only matched by the complexity of the risk, but you are assuredly not alone in the fight for data protection. As mentioned, HIPAA compliance is only the first step in a continuous education.
How can you most effectively prepare your clients and staff to ensure mitigation of financial loss and treatment delays?
- Provide staff with cybersecurity training
- Practicing good ‘cyber hygiene’ can alleviate the majority of data breaches. Verizon reported that 74% of breaches were due to a human element.
- Require multi factor authentication on devices housing E-Health data
- While MFA is recognized as a secure practice for personal devices, the added layer of security for your clients and their patients may be what stands in between you and a HIPAA violation.
- Keep software updated as recommended
- When discussing the incredible impact of the WannaCry ransomware breach, an important piece of the puzzle is that Windows issued a security patch update a full month ahead of the attack. Those devices that were updated were not affected by the attack.
- Only retain necessary data on connected platforms
- As evidenced by the Anthem breach in 2015, your exposure is not limited to active customers. The presence of patient data, even those who were no longer enrolled with Anthem, were subject to the leak.
If HIPAA compliance and continued education seem like a daunting task, let our team at Applied Tech alleviate any concerns your company may have, and protect your business and your patients.