How to Ensure HIPAA Compliance Efforts Focus on Data Security
HIPAA, the Health Insurance Portability and Accountability Act, was created with the goal of modernizing and securing the flow of healthcare information, and has two major sets of rules: HIPAA Privacy Rules that ensure the protection of the patient’s medical data confidentiality, and HIPAA Security Rules that ensure the security, confidentiality, and availability of medical data.
Data security is one of HIPAA’s backbones, so it should be one of the priorities for any company looking to be compliant. To achieve this, it is important to first know what these sets of rules focus on, and then be aware of what can be done to ensure data security is covered.
HIPAA Privacy Rule
These rules protect “personal or protected health information” (commonly known as PHI), with particular attention to data managed or sent by organizations via email. The purpose of the HIPAA Privacy Rule is to detect and determine any circumstances under which PHI may be used or disclosed without the patients knowing.
Organizations should also be able to provide access to PHI, as well as data related to the disclosure of personal data, at the request of third parties or organizations to the patient or their representative.
HIPAA Security Rule
The rules also establish a number of basic principles for organizations, in particular, to ensure the confidentiality, integrity, and availability of all PHIs that are created, received, managed, or transferred by the organization.
In addition, this information must be protected from security threats, inadmissible use or disclosure (backup is an example of a means of protection against such risks).
The data security requirements of HIPAA
As mentioned above, the HIPAA Security Rule also establishes a number of safeguards that companies need to implement in order to ensure, among other things, that a number of data protection safeguards are in place:
- Administrative safeguards: related to the requirement of having regular risk assessments so that potential vulnerabilities can be detected as early as possible and the integrity of PHI can be analyzed.
- Physical safeguards: concern with the physical measures that need to be put in place so that PHI and other sensitive information is safe from unauthorized access and also safe from other threats, like fires or floods.
- Technical safeguards: protection of PHI and other sensitive data during the periods in which such data is being transmitted in any electronic form.
These are mostly related to administrative and security management processes, such as “who, when, and how” when it comes to PHI access. A good example of this is related to BYOD (Bring Your Own Device) scenarios – if professionals are allowed to use personal devices, then the company must ensure that there are policies in place so that these professionals are informed about the best practices they must abide by.
HIPAA also has some requirements related to the way PHI and other sensitive data can be physically accessed. Not only in what concerns the physical storage (of computer equipment, for example) but also the personal control for those facilities.
These safeguards do have requirements in relation to the way that information is protected from physical threats, such as environmental hazards like fires, floods, or earthquakes.
One of them, as stipulated on HIPAA, is that any device in which PHI is accessed needs to possess an automatic log-off mechanism so that unauthorized personnel cannot access PHI when a device is left unattended.
Mobile devices also need to have additional safeguards that prevent unauthorized access. Mechanisms and processes must be implemented so that information accessed or stored in such devices can be protected – as an example, what should be done if a USB stick containing PHI is lost.
Last but not least, the technical safeguards are related to the way data is “traveling” over a network, making it arguably the hardest safeguards to implement and ensure. Their number one goal is to prevent the disclosing, accidental or not, of PHI and other sensitive information, which is also one of HIPAA’s core concepts.
Healthcare organizations should then implement technology solutions that enable them to detect violations quickly and access to records should be regularly checked. Data breaches are always a risk, but they can be avoided. It comes down to being informed, prepared and alert.
This helps companies and staff to know the best actions that can be taken in order to prevent this from happening and ensure that data security is handled.
What to do in case of a ransomware attack
According to the new guidelines of HIPAA, ransomware attacks must be reported to the U.S. Department of Health & Human Services (HHS). The guidelines describe prevention and recovery from ransomware attacks from the healthcare perspective, and also how HIPAA breach notification processes should be managed in response to a ransomware attack.
The HHS guidelines state that if an attacker is able to encrypt PHI-containing files, then that attacker “acquired” the files or compromised the owner’s ability to access their own data and the ability of the business to maintain data integrity – two situations that require notification.
Note that one consequence of this last condition is that disclosure would be required even if you had already encrypted the files before the ransomware attack encrypted them a second time.
The importance of data at rest
Due to its nature, a big part of medical data is “at rest” most of the time. This refers to data that is not being retrieved or sent anywhere. Still, it can be very easy to focus on the security of data transmission mechanisms, while forgetting the importance of security for data at rest.
One of the best ways to achieve the security of this data would be to encrypt it, something that can be done easily if using a HIPAA-compliant hosting solution. This way, even if an attacker got possession of this PHI, their content would be encrypted and, therefore, not in a usable state.
This is a guest post written by Adnan Raja, on behalf of Atlantic.Net