ealthcare continues to be an emerging target for cyber villains seeking the newest and most lucrative sources of personal identifying data in order to not just perpetrate one-time fraudulent financial transactions, but to commit identity theft. While the financial industry used to be the biggest target, much has been implemented in the industry to thwart, detect and resolve attacks and breaches. Now hackers are setting their sights on data stores housing larger sets of identifying data – patient demographics and payment information – and the healthcare industry is behind the curve on protecting the data. Consider the following statistics:
- 89% of healthcare organizations had at least one data breach involving the loss or theft of patient data in the past 24 mos
- 45% had more than 5 breaches
- 61% of business associates had at least one data breach involving the loss or theft of patient data in the past 24 mos
- Avg total cost of a breach increased 23% in past 2 yrs
- Sophisticated cyberattacks made up 31% of 2016 HIPAA data breaches – A 300% increase in 3 yrs
Sources: Ponemon Institute Sixth Annual Benchmark Study on Privacy & Security of Healthcare Data 2016, IBM Ponemon 2015 Cost of Data Breach Study: Global Analysis, TrapX Security 2016 Year End Healthcare Cyber Breach Report
Providers are required to abide by HIPAA laws, including the HIPAA Security Rule, intended to protect electronic protected health information (ePHI). Providers also have a duty to report breaches according to HHS requirements. The challenge is that, while regulations and requirements exist, they are not necessarily easy to interpret or to put into practice, especially for smaller physician practices that may not have the expertise or budget to implement the best protections. The best place to start is by completing a HIPAA Security Risk Assessment. Some practices may have a tech-knowledgeable staff resource to help. Others may want to consider hiring in an IT resource with experience doing this kind of assessment.
The HIPAA Security Rule at a glance
There are 5 main areas providers need to address to meet HIPAA Security Rule requirements:
- Administrative Safeguards: All of the standards and implementation specifications found in the Administrative Safeguards section refer to administrative functions, such as policy and procedures that must be in place for management and execution of security measures. This includes the entire security management process related to the workforce, information access management, security awareness and training, contingency planning, and ensuring having Business Associate Agreements (BAAs) in place with your vendors.
- Physical Safeguards: The Security Rule’s physical safeguards are the physical measures, policies, and procedures to protect electronic information systems, buildings, and computing equipment.
- Technical Safeguards: Standards and implementation specifications found in the Administrative Safeguards section refer to administrative functions, such as policy and procedures that must be in place for management and execution of security measures related to access controls, audit measures, data integrity, and data transmission.
- Organizational Requirements: Organizational requirements include the standards for business associates under contract. This standard makes it an obligation for business associates to protect ePHI compliant with HIPAA, and to report violations or security incidents.
- Documentation Requirements: Documentation requirements address retention, availability and update requirements for supporting documentation such as policies, procedures, training and audits. Essentially this means document everything, make it available to those impacted, and evaluate it periodically for updates.
Now that you know some of the areas a HIPAA Security Risk Assessment should cover, let’s review some best practices for security management and IT.
Best Practices for Security Management
- Learn about the HIPAA Security Rule
- Engage a security team
- Identify all ePHI access/transmission points and staff/BAs that touch ePHI
- Conduct HIPAA Security Risk Assessment
- Assign a risk level to each area
- Identify security gaps
- Prioritize gaps to address based on risk
- Create a project plan to address gaps
- Establish a budget
- Address gaps
- Engage experts to help (Legal, IT, Forensics)
- Identify and train a Security Incident Response Team
- Start addressing gaps and document fixes (Good faith effort)
- Conduct ongoing security training
- Create, document, implement and monitor adherence to policies and procedures
- Implement employee sanctions for violations
- Assign a schedule to test policies and procedures
- Monitor security adherence and systems vigilantly
- Shore up physical security
- Ensure a BAA on file with every contractor
- Consider breach insurance
IT Practices to Support Security
- Always have a current backup
- Consider moving to a cloud environment
- Implement data recovery tools and processes
- Configure firewall to increase restrictions
- Boost password complexity / implement automated requirements for reset
- Immediately remove access for departing employees
- Use at least two factor authentication for sensitive system logins
- Grant access to 3rd parties only when needed
- Enable auditing and logging for system access – and monitor
- Upgrade hardware and software
- Regularly scan internal and external systems for vulnerabilities
- Engage IT staff to staff – Phishing!
While a HIPAA Security Risk Analysis may sound daunting, it starts with understanding the Security Rule.
Download our newest eBook, A Physicians Guide to Interpreting the HIPAA Security Rule to help you get started.
– Kristen Heffernan