[author: Mike Ogden]
Given the choice between credit card data and digital health records, cybercriminals prefer the latter. A stolen credit card can be canceled. Electronic protected health information (ePHI) with its treasure-trove of personally identifiable information offers a higher value on the Dark Web.
HIPAA compliance, specifically its Security Rule, establishes standards for protecting individuals’ electronic personal health information and provides administrative, physical, and technical safeguards. HIPAA's Security Rule dovetails nicely with IT security best practices.
Former Acting Deputy Director for HIPAA at the Department of Health and Human Services (HHS), Iliana L. Peters, shares four ways to protect data security and patient safety that go beyond check-the-box HIPAA compliance.
1. Perform a risk analysis of HIPAA-protected data
HIPAA requires healthcare entities to conduct an accurate and thorough assessment. The assessment is designed to reveal the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI held by the organization.
Healthcare organizations often underestimate the amount of ePHI they generate: applications, computers, medical devices, messaging apps, mobile devices, backup tapes, and more.
A risk analysis should identify all ePHI created, maintained, received, or transmitted, regardless if the data travels inside or outside the organization. According to Peters, the risk analysis might also uncover the absence of business associate agreements. It’s a frequent flashpoint for OCR settlements. Many HIPAA violations come from a failure to have business associate agreements in place to govern the handling of personal health information.
“Before you disclose ePHI, you must have agreements in place with covered entities to maintain ePHI security and HIPAA compliance,” Peters said.
2. Defense is the best offense to protect ePHI
Patient records can be sold for $1000 on the dark web, so it’s no surprise healthcare organizations and business associates with ePHI are the target of choice for cybercriminals.
Given the value and volume of their data, healthcare organizations are especially vulnerable to phishing attempts and ransomware attacks. If you know where ePHI is vulnerable, you can take steps to address with IT defensive measures.
Many ransomware incidents occur when IT systems go without updating. The best defense against ransomware is a multi-pronged approach: regular patching, backup system and recovery strategy. Nobody wants to pay a ransom.
Peters stressed the importance of software patching and maintaining a patching schedule. Regular software updates help address security flaws favored by hackers. Time and resources should be built into the budget for recurring security updates and cybersecurity training.
Employee training, such as simulated phishing attacks, is a critical part of defensive ePHI data security. FTC's Start with Security and OCR's YouTube channel are also good resources to check out.
3. Address insider threats and unauthorized access
Healthcare also has an insider threat challenge, which Peters refers to as “employee snooping.” Whether it’s out of curiosity or for illicit gain, individuals without authorization gain access to patient data. It’s not just inappropriate access that could result in a HIPAA violation. The act could lead to criminal activity and capture the attention of state attorney generals. All current employees should attest to company policy and made aware of what leads to a HIPAA violation.
“Departing employees are a security risk to ePHI, and their access should be terminated immediately upon surrendering credentials,” said Peters.
One of the biggest risks of insider threat is when employees leave while retaining access to ePHI data for days or even weeks. To prevent employees accidentally or maliciously accessing data, check the controls, policies, and procedures that govern employee access to patient data. Since departing employees present a security risk, their access should be terminated immediately upon surrendering credentials.
4. Perform comprehensive, enterprise-wide risk management
In addition to a targeted assessment, Peters suggests that healthcare organizations use technology to perform comprehensive, enterprise-wide risk management. She also recommends outside counsel and cyber insurance for post-incident forensic investigations.
Since the majority of settlements from the Office for Civil Rights stem from risk management, protecting ePHI data should be an organizational priority. Risk management initiatives should include stakeholders in compliance, legal, and IT departments, with regular updates to department heads and the board. HIPAA compliance demands record-keeping and accountability.
The best way to protect an increasing volume of patient healthcare data is a central location for controls, policies, procedures, and documents like business associate agreements, in addition to following IT security best practices and robust employee training.
We just scratched the surface here with the importance of risk analysis, access control, cybersecurity training and comprehensive, enterprise-wide risk management.