Check out the Essential Cybersecurity Compliance series:
- Essential Cybersecurity Compliance Standards
- Use PCI DSS Checklist with Automation
- Meet NIST Compliance Standards Using Automation
- Deliver ISO Compliance with Automation
More than in any other industry, compliance is a vital for healthcare organisations. The collecting and processing of protected health information (PHI), including personal and medical data, is necessary to provide patients with optimised healthcare options. However, the consequences of a breach of PHI can be devastating. Not only can it lead to reputational damage, financial loss, and legal liability, but breaches have resulted in harm to patients.
According to the HIPAA Journal's 2022 Healthcare Data Breach Report, 2022 ranked as the second-worst-ever year in terms of the number of reported breaches with 707 data breaches of 500 or more records reported.
These statistics emphasise the importance of HIPAA compliance in the healthcare industry and the need for ongoing efforts to improve data security and privacy.
Meeting HIPAA compliance requires you to ensure that the proper policies, procedures, and technical safeguards are in place to protect PHI. It’s your responsibility to ensure your organisation stays up-to-date with changes to HIPAA regulations and remains compliant with new requirements.
What is HIPAA?
Established in 1996, Health Insurance Portability And Accountability Act (HIPAA) aims to protect the privacy and security of sensitive health information. The HIPAA Security Rule protects a subset of information covered by the HIPAA Privacy Rule. Essentially, it focuses on what organisations need to do to protect electronic protected health information (e-PHI).
The Security Rule doesn’t dictate which security measures are used, as long as they are effective. However, they do require three standards of implementation also known as safeguards:
- Administrative: A risk analysis is required to determine what security measures are needed for your organisation. This should be an ongoing process.
- Physical: This refers to the security of the offices where e-PHI may be stored. The security measures must include facility access and control measures and workstation and device security.
- Technical: Measures, like firewalls, encryption, and data backup, are used to keep e-PHI secure and the safeguards must consist of access controls, audit controls, integrity controls, and transmission security.
According to the 2022 SonicWall Cyber Threat Report, healthcare continued a large spike in malware in 2021, at 121%. While the largest jump in IoT malware attacks belonged to healthcare, which saw a 71% year-over-year increase.
To shed light on the significance malware can carry, it’s important to look at how recent breaches could’ve been circumvented by abiding to the HIPAA rules and safeguards.
In May 2021, more than 205,000 patients of RMCHCS were notified of attempted data extortion that forced the hospital into electronic health record (HER) downtime. RMCHCS fell victim to an attack launched by Conti, a ransomware hacking group that actively targeted the healthcare industry throughout 2020.
It was later determined that Conti actors exfiltrated data, including social security numbers, passports, and patients’ protected health information (PHI), from the system for approximately two weeks from January 21 to February 5. RMCHCS reported they notified law enforcement immediately, but they didn’t start sending out notices until the end of April, which is cause for concern.
Since this was a ransomware attack, there is a clear lack of technical safeguards and regular risk assessments. While RMCHCS did notify patients of the breach, the lack of timeliness further compromises personal security and the integrity of the e-PHI. Patients should have been notified in a timely manner so they could close or alter their charts, update online portal or banking information, or request a new passport.
This Hartland, Wisconsin mailing and printing vendor fell victim to a ransomware attack on April 28, 2022. Over 2.6 million individuals over at least 34 organisations were impacted by the breach.
It was discovered that OneTouchPoint’s servers were compromised just a single day earlier, leaving sensitive data at risk. Over six weeks later, OneTouchPoint disclosed that the files contained customer data alongside sensitive information of current and former employees. This included names and addresses of customers and employees, subscriber, and healthcare member IDs, as well as diagnoses and medications of clients. This has led many of OneTouchPoint’s customers to offer credit monitoring and identity theft protection services to their members at their own cost.
At least one class action lawsuit has been filed against OneTouchPoint over the data breach.
Why this matters to you
As discussed, the CISO plays a crucial role in ensuring your organisation meets the HIPAA requirements. The following best practises can help you achieve compliance.
1. Understand the HIPAA Rules
The HIPAA Privacy Rule dictates how PHI can be used and disclosed in the healthcare sector. An overview of the rule gives you insight into patients' rights, including the right to access their medical records and to request corrections.
The HIPAA Security Rule provides you with the technical, physical, and administrative safeguards needed to protect customer PHI.
The HIPAA Breach Notification Rule requires that patients, the media, and the US Department of Health and Human Services (HHS) be notified if a data breach occurs.
2. Conduct a Risk Assessment
This involves identifying all the PHI your organisation collects, processes, and stores. Your risk assessment should also identify your organisation’s vulnerabilities that could put PHI at risk. This includes known internal or external cyber threats, theft or loss of physical devices, and your organisation’s likelihood of an attack based on your Cyber Risk Index.
3. Implement Policies and Procedures
Based on your risk assessment results, develop and implement policies and procedures that address each risk identified. This includes areas such as access control, data backup and recovery, incident response, and security awareness training for employees. Review and update these policies and procedures regularly to ensure they remain relevant.
4. Train Employees
Ensure your employees are updated on your organisation's policies and procedures. All employees who handle PHI must be aware of how to safeguard PHI and recognise the consequences of non-compliance. Regular security awareness training is necessary to ensure employees stay current with the latest threats and are familiar with best practises for protecting PHI.
5. Monitor and Audit
Frequently review your organisation's security measures, undergo penetration testing, and fulfil vulnerability assessments. This will keep you and your teams up to speed on emerging risks or threats to PHI and how to properly handle a breach. Regular auditing is key to staying compliant and prepared.
Consistent compliance with Trend Micro Cloud One™ – Conformity
Conformity helps organisations understand their level of HIPAA compliance. This is due to to real-time, automated service scans that are run against hundreds of compliance, best practise, and configuration cheques. With an endless combination of filters, you receive a complete view of the security and compliance baseline of your infrastructure. If you are alerted of a risky misconfiguration, Conformity provides you with step-by-step guides to fix it yourself, or you can use auto-remediation.
To understand how compliant your cloud environment is to HIPAA, start a free 30-day trial.
Next steps
Continue reading the compliance series: