The Health Insurance Portability and Accountability Act (HIPAA) was designed to protect the privacy, security, and integrity of protected health information (PHI). This goal seems simple enough, but compliance has always been notoriously complex, especially since healthcare organizations entered the digital age and embraced innovations, such as cloud computing and mobility and telehealth solutions.
COVID-19 upended both the healthcare industry and HIPAA compliance. Virtually overnight, hospitals and other providers found themselves scrambling to implement telehealth options and, where possible, remote work.
In an effort to ease the burden on providers as they strove to protect staff and patients, the U.S. Department of Health and Human Services (HHS) chose to exercise “enforcement discretion” and stated that it would not impose penalties “in connection with the good faith provision of telehealth during the COVID-19 nationwide public health emergency.”
Relaxed HHS Enforcement is a Temporary Measure
However, this does not mean that healthcare providers can use COVID-19 as an excuse to let HIPAA compliance and data security fall by the wayside. The relaxed HHS enforcement is a temporary measure to give providers time and breathing room to review their security protections and update them accordingly.
The pandemic has spread healthcare facilities’ financial and human resources thin, and cybercriminals are taking advantage of tighter budgets and overworked IT staff. On average, it takes nearly a year (329 days) for a healthcare organization to discover and contain a breach, so organizations may already be compromised without even knowing it, leaving them wide open to data breaches and malware infections, particularly ransomware.
In Q4 2019, ransomware attacks on healthcare providers rose by 350%, and one in every 10 ransomware attacks includes data theft.
Complying with HIPAA in a telehealth-focused, digitized world
The HIPAA Security Rule includes a number of technical specifications to protect PHI, which include:
- Implement access controls
To ensure that only authorized personnel can access PHI.
- Implement audit controls
This includes activity logs to record actual and attempted access to PHI, as well as what is done with the PHI once it has been accessed.
- Implement integrity controls
To ensure that PHI cannot be improperly altered or destroyed.
- Encrypt all PHI to NIST standards
Both in transit and at rest, whenever it travels beyond the organization’s firewalled servers.
- Ensuring automatic log-off features
Both desktop and mobile devices should have automatic log-off features to prevent unauthorized access to PHI, if a device is left unattended.
Even after the world gets past COVID-19, innovations such as telemedicine and remote work are here to stay. However, in this new environment, there are significant risks of PHI being saved in less secure locations, such as on local devices and on misconfigured cloud servers, or transmitted insecurely through unencrypted email or messaging apps. Access control is also an issue in an environment without a clearly-defined network perimeter.
Going Beyond HIPAA Securities to Protect PHI
Organizations must review their existing security procedures and controls, with a focus on the technical requirements of the HIPAA Security Rule. That said, it’s important that healthcare organizations not depend solely on HIPAA requirements to protect PHI. HIPAA compliance is only a starting point for data security; it is not a replacement for a comprehensive cybersecurity program.
Here are some steps you can take to tighten up your data security beyond HIPAA compliance:
- Cybersecurity training
Have all employees undergo mandatory cybersecurity awareness training, especially training on how to avoid phishing emails. Since the cyber threat environment is in continuous flux, training sessions should be conducted at regular intervals to address new and emerging threats.
- Password requirements
Ensure that all employees are using strong, unique passwords for every account and implementing multi-factor authentication (MFA/2FA) on all accounts that support it. Mandate the use of a password manager so that IT administrators can monitor employee password habits and enforce these rules.
- Subscribe to a Dark Web monitoring service.
These services search Dark Web forums for compromised credentials, then alert IT administrators if any employee credentials are found, so that they can force password resets.
- Partner with an expert in HIPAA compliance
These assessments help organizations identify, prioritize, and mitigate security and regulatory vulnerabilities with HIPAA Gap and Security Assessments
Article contributed by: SECNAP Network Security
SECNAP Network Security helps healthcare organizations and other companies that handle PHI, secure their networks and comply with HIPAA’s cybersecurity requirements.