Does HIPAA Compliance Equal Security?
HIPAA compliance (meeting the parameters of the Health Insurance Portability and Accountability Act of 1996) is a massive point of focus for healthcare organizations – and for good reason. Beyond the fines that a company can have to pay for violations, there are numerous other costs associated with the data breaches that are typically associated with noncompliance. Keep in mind, though, that the data compromises themselves are the central problem and should actually be as strong a point of focus as the issue of compliance. It is all too easy to square the organization directly toward healthcare law – as if its language is somehow synonymous to your information security. Healthcare is the sector that is most commonly impacted by data breaches, so there should be concern that security parameters are not being met despite the obvious assistance that HIPAA has given to simply making data protection a high priority.
This is a guest post written by Adnan Raja, on behalf of Atlantic.
Nine in ten healthcare firms – and approximately three in five of their business associates (see below), have been a victim of one or more compromises of their systems. In fact, almost four out of five (79%) suffered from two breaches, while nearly half of them had experienced three or more (per research from the Ponemon Institute). The key issue here is something that makes HIPAA a little difficult to discuss: it lacks specifics. That may sound strange, but the law is not fundamentally a list of technical requirements. Rather, the safeguards within the Administrative Simplification Provisions (Title II of the law), are focused on the need for standardized data protections – but specifics are not discussed since technological approaches and other granular decisions about operations are left to the individual businesses.
HIPAA, HITECH, & “corporate negligence”
HIPAA is the law that is the central point of focus and basis for healthcare privacy and security laws that have directed regulatory compliance from the HHS Department since the digital era emerged. However, it is also important to be aware of another piece of legislation that is more recent: the Health Information for Economic and Clinical Health Act (HITECH). Part of the American Recovery and Reinvestment Act of 2009 (ARRA), the economic stimulus plan that was passed and signed into law soon after President Obama took office, HITECH is an update to the provisions of HIPAA so that privacy continued to be properly protected as the Internet era progressed; it also incentivized organizations to make their records electronic so that healthcare was generally more interoperable and accessible.
Healthcare firms (healthcare insurers/plans, providers, and data clearinghouses), called covered entities under HIPAA, have had to be concerned directly with meeting its requirements since 1996. As of HITECH, the basis of the HIPAA Omnibus Final Rule, those companies’ business associates (any organization that provides a service to a covered entity that involves the handling of protected health information, or PHI) are also now held directly responsible for meeting the parameters of the law.
At CSO, attorney and HIPAA compliance officer Stephen Treglia advises that noncompliance with these federal healthcare laws can have a devastating impact on a business, referring to failing to meet these standards as “corporate negligence.” The first example he gives of “negligent” behavior is the massive 2015 Anthem hack. Compromises occur all the time, he says; and that point is clearly confirmed by the HHS’s Wall of Shame. However, with compliance as the core concern, firms often forget that HIPAA-compliant organizations often have data breaches too.
Organizations should be in control of their data and the infrastructure that stores and supports it if they want to actually have a fully protected environment. “[T]hese kinds of one-size-fits-all regulations should not be treated as comprehensive guidelines,” says Treglia. “This creates a false sense of security.”
Brookings: three ideas for security beyond HIPAA
The results of talks with information security professionals by the Brookings Institution reveal that HIPAA is not enough to properly secure a healthcare business – especially in the case of large enterprises with a complex array of infrastructures and platforms. As healthcare has transitioned into digital form through electronic health records (EHR), mobile devices are increasingly being used to access these systems, and health exchanges are being used by doctors to transmit records to one another. Because the push to digital has been so multifaceted, hackers have broad potential targets and ways in which they can attack.
Responding to disturbing statistics that one in four data breaches were within the healthcare industry, the May 2016 report, from Brookings fellow Niam Yaraghi, looked at the issue of healthcare data safety.
The basis for the report was 22 interviews with companies that had experienced data breaches involving the data protected by the law, protected health information (PHI). The discussions (with a range of types of organizations including providers, insurers, and business associates) demonstrated that what is contained within the legislation and the Office for Civil Rights (OCR) regulations is insufficient to really safeguard information. Even recognizing the security issues with HIPAA regulations and oversight, it is still confusing exactly how you should move forward. Beyond what the federal government recommends and requires, Brookings suggests that the private sector needs to step up and fill the gap, using a number of methods:
Treat patient privacy as an investment. Often, breaches occurred because companies had not made privacy a high enough priority, neither putting enough funding into security components or abiding by privacy guidelines. Yaraghi notes that since healthcare firms are familiar with what they need to do and core security technologies that are at their disposal, they should spend more money and time on these elements so that they do not leave themselves exposed and vulnerable to attack.
Communicate and learn. While you want to conceal data from unauthorized eyes, you do not want the approaches that you take to be secretive within the industry. Openness about tools implemented by companies, privacy policies, and compromises that take place should occur between HIPAA-regulated firms, as well as between healthcare firms and the HHS (Health and Human Services Department, the agency of which the OCR is a subagency).
Get cyber insurance. The report notes that this form of insurance is critical; it is specifically designed to protect you from threats to your IT systems. Cyber-insurance is not just a case-by-case concern for individual companies but a systemic issue, says Yaraghi. If it became standard for cyber-insurance to be carried by healthcare organizations, the way in which people look at healthcare privacy within the sector would be substantially altered, suggests Yaraghi. The reason this insurance is a critical piece, in his opinion, is that the insurance carriers audit organizations and are proactive about the way that their clients handle privacy during the underwriting process. Another thing that can happen for organizations with cyber-insurance is that insurance rates are lowered when an organization takes steps to be sure that privacy is upheld through the deployment of security mechanisms and other tactics.
Proactive healthcare security
Creating electronic forms of healthcare records has allowed for easier collaboration between different healthcare providers and other forms of efficiency. However, it has also led to an incredible number of data breaches. In this climate, it is necessary to go beyond what is directed by the government. You need protocols for detection and response; proactive monitoring; and multiple layers of security. A good place to start is following a HIPAA compliant hosting requirements checklist.
If all or part of your infrastructure is with a hosting service, look for companies that go beyond HIPAA and HITECH auditing to also get certification with SOC 1 and SOC 2. These organizations demonstrate, through analysis by independent third parties, that they have comprehensive and advanced security mechanisms in place.
Adnan Raja has been the Vice President of Marketing at Atlantic.Net for 14 years. During Raja’s tenure, the Orlando-based, privately held hosting company has grown from having a primarily regional presence to garnering and developing attention nationwide and internationally. In collaboration with a skilled and dedicated team, Raja has successfully led a full spectrum of marketing campaigns, as well as handling PR work with major news outlets and the formation of key strategic alliances.