How Can You Maintain HIPAA Compliance When Accessing Information on Your Devices?
It has been 24 years since the U.S. Department of Health & Human Services successfully passed the Health Insurance Portability and Accountability Act (HIPAA), and 17 years since the Security and Privacy rule amendments. Today, HIPAA compliance is still a critical statute that healthcare organizations and business associates must observe to protect patient data.
Healthcare workers are much more mobile in their day to day lives as modern laptops, cell phones, tablets, and portable medical equipment create an always-connected ecosystem to cloud computing services. This simplifies the life of the doctor or physician but creates some challenges concerning compliance, security, and HIPAA.
Any medical professional device that contains or can access electronically protected health information (ePHI) falls under the required administrative, technical, and physical safeguards of HIPAA legislation. Securing these devices is an essential and legally binding responsibility for the healthcare institution and their chosen cloud service provider.
Securing the device
The first line of defense is to create a robust layer of security on the medical device. Any cell phone or business laptop distributed to healthcare personnel must be securely built by the technology distributor, often an IT department or a HIPAA-compliant cloud hosting partner. The build must include the necessary safeguards to guarantee against theft and data loss.
Any portable device should be encrypted with the Advanced Encryption Standard (AES), with preferably at least 256-bit encryption for added security. AES will scramble the data on the disk making it only readable if a user has the decryption key. If the user does not have the decryption key, the data is rendered indecipherable. Combining encryption with power-on passwords, and a strong password policy that is regularly updated and enforced by directory services is a great start.
Encryption is also required at the network layer. HIPAA regulations require that when ePHI is transmitted over a network, the data must be encrypted. The most popular way of doing this is to create a secure VPN. A site-to-site VPN should already exist between the computing infrastructure, typically found in a cloud provider’s data center, and the healthcare organization’s private network.
The VPN can then be stretched to connect to laptops, cell phones, and medical devices. This solution is perfect for remote working as a secure private network is created between all devices, servers, and end-points. The end-user experience is generally exactly the same as being inside the corporate network. A VPN is the only way to guarantee that ePHI data is encrypted. This is achieved by encrypting all traffic prior to transmission and then using TLS ciphers at the transport layer.
Implement TLS Certificates
TLS (Transport Layer Security) has been introduced to replace the now deprecated SSL security certificate protections. These certs create a trust between two endpoints, ensuring that the endpoint is genuine and that data transmitted between both endpoints is encapsulated by an unbreakable hash. Meaning that it is impossible for anyone to intercept, snoop, or change network data.
HIPAA permits the usage of any version of TLS, but it is recommended to use TLS1.2 or higher. TLS can be used to secure healthcare email systems, cloud apps, payment systems, and internal intranet sites. Many medical applications use a web browser. Securing these sites with TLS creates security guarantees and affords developers more creative freedom when designing ePHI applications.
Perhaps the most influential way to maintain HIPAA compliance on an endpoint device is to uphold and maintain the integrity of the entire network. The network is typically managed by a business associate such as a cloud service provider who has control and responsibility for the entire network stack.
Utilizing centralized network management enables the healthcare organization to map, track, and trace ePHI data usage on the network. Identifying where ePHI is located on the infrastructure is a core prerequisite of compliance, and determining who has access to the data is critical. ePHI is protected by directory services file permissions, and verbose log capturing services that monitor ePHI file access.
Network Intrusion Protection Systems (IPS) are configured to alert when unexpected access is gained. Perhaps a file was accessed in the middle of the night which is not normally expected, or alerts may have been triggered when ePHI was saved to an incorrect server in error. Monitoring network activity using AI-based SIEM tools enables proactive, intelligence-based monitoring of user devices.
Secure that cell phone
Countless cell phones and mobile devices are in use by healthcare professionals. They are an essential resource in medicine, but also one of the biggest security challenges. Cell phones are easy to lose and easy to steal. Ensuring mobile devices are encrypted and have adequate security, such as a PIN and fingerprint locks is mandatory.
Remote wipe capabilities are also highly recommended. The feature is required for tracking cell devices and it is relatively straightforward to implement. Mobile phone operating systems support a host of different security options, including VPN and remote wipe. Essentially the cell devices are managed in-house. When a cell is reported stolen, the IMEI is traced using specialist software, and an engineer can then choose to trace the phone or simply wipe all data on the phone.
To conclude, using your device to access ePHI and process sensitive data is an essential part of the life of a healthcare worker. Mobile technology and digital devices have helped to revolutionize medicine. The way healthcare is being practiced is also changing. Healthcare professionals have had to adapt since the COVID-19 pandemic, resulting in user devices becoming an absolutely fundamental tool to offer healthcare services to those in need.
However, it is important to recognize that digital devices are the weak link in security if not managed correctly. Just a quick glance at the OCR Hall of Shame will provide evidence that medical devices are lost and stolen quite often. Therefore, to maintain HIPAA compliance it is necessary to make sure the endpoint devices are secured to the required and recommended safeguards enforced by the HHS.
Adnan Raja has been the Vice President of Marketing at Atlantic.Net for 14 years. During Raja’s tenure, the Orlando-based, privately held hosting company has grown from having a primarily regional presence to garnering and developing attention nationwide and internationally. In collaboration with a skilled and dedicated team, Raja has successfully led a full spectrum of marketing campaigns, as well as handling PR work with major news outlets and the formation of key strategic alliances.