Today, healthcare organizations are prime targets for cyberattacks. Cybercriminals use everything from malware, to ransomware, to weak passwords and other tactics to gain access to confidential patient data. This can include names, birth dates, credit card numbers, phone numbers, employment histories, and more.
And prior to the creation of the Health Insurance Portability and Accountability Act (HIPAA) in 1996, no generally accepted set of security standards or requirements for protecting health information existed.
However, as new technologies emerged and healthcare organizations began to rely heavily on the use of electronic information systems to pay claims, answer eligibility questions, provide health information and conduct a host of other administrative and clinical functions the need for security became increasingly evident.
But while healthcare organizations are required to abide by HIPAA’s rules to safeguard health information from unauthorized access, simply complying may not be enough to protect against cyberattacks.
The HIPAA Security Rule
The HIPAA Security Rule is a mandate that healthcare entities must follow, and it is designed to safeguard ePHI (electronic protected health information) while also allowing entities to continue adopting new technology to improve the quality and efficiency of patient care.
- Covered entities of the Security Rule include health plans, clearinghouses, and healthcare providers. If you are unsure whether you are required to comply with HIPAA, we encourage you to visit this U.S. Department of Health and Human Services resource to learn more.
Due to the diversity of the healthcare industry, the Security Rule is flexible and scalable depending on the covered entity’s size, structure, and risk level. However, in all cases, there are physical, technical, and administrative safeguards that must be in place.
Physical safeguards are those that protect systems that store ePHI. Examples include:
- Facility Access and Control. Physical access to facilities must be limited while ensuring that authorized access is allowed.
- Workstation and Device Security. A covered entity must ensure proper use and access to workstations and electronic media and create procedures for transferring, removing, and disposing of electronic media to protect ePHI.
Technical safeguards are policies and procedures protecting the use and accessibility of ePHI. Examples include:
- Access Control. Only authorized individuals should be able to access ePHI.
- Audit Control. Software must be in place to record and examine activity in systems that contain or utilize ePHI.
- Integrity Control. There must be mechanisms to ensure that ePHI is not tampered with or altered in an unauthorized manner.
- Transmission Security. Technical security measures should be in place to guard against unauthorized access to ePHI that is being transmitted over an electronic network.
Administrative safeguards are those that monitor the human element of risk. Examples include:
- Security Personnel. A security official should be designated to develop and implement security policies and procedures.
- Information Access Management. A covered entity must implement policies and procedures for authorizing access to ePHI only when such access is appropriate based on the user or recipient's role.
- Workforce Training and Management. A covered entity must provide appropriate authorization and supervision of workforce members who work with ePHI. All workforce members must be trained in security policies and procedures. There must be appropriate sanctions against members who violate policies and procedures.
- Evaluation. A periodic assessment of security policies and procedures must take place.
Using HIPAA to Create Stronger Cybersecurity Practices
Healthcare organizations that are HIPAA compliant have met the minimum standards for security and healthcare data privacy as determined by the U.S. Department of Health and Human Services. However, simply being HIPAA-compliant does not mean a company is adequately protected against cyberattacks.
While HIPAA is a great starting point for understanding your security posture and risk management strategies, organizations must take additional steps to ensure comprehensive cybersecurity measures are in place.
Instead of focusing on security in a sporadic, disjointed way – seeking mostly to check compliance rules off a list and move on – healthcare organizations should take a holistic approach to cybersecurity. After all, the average cost of a data breach in healthcare reached an all-time high of $10.1 million in 2022.
How do you implement better, more comprehensive cybersecurity practices in your organization?
It starts with investing in prevention and awareness.
While software and safeguards are critical to protecting patient data, those tactics are only as effective as your staff is at implementing and managing them. It is equally – and possibly even more – important that your staff acknowledges and understands the role they play in keeping patient data safe.
To better understand where your healthcare organization stands with HIPAA compliance and its overall security posture, start by conducting a Security Risk Assessment (SRA).
- Security doesn’t stop with HIPAA compliance. Continue reading about the importance of creating a comprehensive cybersecurity strategy in your organization.
Ensuring Compliance with the HIPAA Security Risk Assessment (SRA)
To ensure the HIPAA Security Rule is being followed by healthcare entities, the HIPAA security risk assessment (SRA) was created. The SRA is meant to:
- Ensure the confidentiality, integrity, and availability of all ePHI created, received, maintained, or transmitted by a covered entity.
- Protect against any reasonably anticipated threats or hazards to the security or integrity of such information.
In general, conducting an SRA helps your organization stay compliant with the administrative, physical, and technical safeguards listed above. A risk assessment also helps reveal areas where your organization’s protected health information could be at risk, which can provide a great starting point for better cybersecurity measures overall.
There are several methods of performing a risk analysis, and there is no single “best practice” that guarantees compliance with the Security Rule. However, regardless of how the SRA is performed, the assessment should include the following steps:
- Gather Information
The first step is to identify where your organization’s ePHI is stored, received, maintained, and transmitted. This may involve communicating with individuals responsible for certain systems and processes (like HIPAA Compliance Offers, IT, HR, etc.), reviewing documentation, or using other data gathering techniques. The data on ePHI gathered using these methods must be documented.
- Analyze Threats, Security Measures, and Gaps
After gathering the necessary information, it is time to essentially perform the “assessment” part of the process. This is where your organization will identify possible threats to ePHI, analyze the current security measures in place and if those security measures are being used properly, and determine if there are gaps in your compliance. At this time, the SRA should also document the likelihood of any threat occurrences and the impact those threats could have on the security of patient data. After the analysis is complete, you’ll need to start planning for remediation.
- Create a Plan for Remediation
When security gaps are discovered, you need to identify remediation items, or tasks that must be accomplished to address said gaps. By identifying these areas, creating a remediation plan to address the gaps, and then following through on that plan, you are considered HIPAA compliant. Keep in mind that you must document each area of your SRA, though there is not a specific format required for this documentation.
- Consistently Review and Update Your Security Practices
HIPAA compliance is a bit of a moving target, and your organization may not be perfectly HIPAA compliant 100 percent of the time. That is why consistent monitoring and assessment is important.
While it is encouraged to perform an SRA at least once a year, a truly integrated risk analysis and management process is performed as new technologies and business operations are implemented. For example, if your organization has experienced a security incident, has had change in ownership, turnover in key staff, or is planning to incorporate new technology to make operations more efficient, the potential risks should be analyzed to ensure the ePHI is reasonably and appropriately protected.
The Role of a HIPAA Security Officer
Selecting an individual to assist with your organization’s HIPAA compliance needs will be invaluable to ensuring the security of your data.
A HIPAA Security Officer can perform the following:
- Create a Compliance Charter: A compliance charter is a key document that outlines an organization's commitment to compliance, establishes the organization's compliance program, and helps to ensure that all employees understand their roles and responsibilities in maintaining compliance.
- Risk Assessment: Conduct a thorough assessment of the organization’s current cybersecurity, systems, processes, and policies to identify any potential vulnerabilities or non-compliance issues. A roadmap will be created based on the findings from the risk assessment.
- Policy Review: Review the organization's existing policies to ensure that they follow HIPAA regulations and work with the organization to ensure that the policies are consistent with the organization's culture, values, and goals. This can include reviewing the policies for completeness, accuracy, and consistency with the organization's operations and goals.
- Annual HIPAA Awareness Training: Annual training helps to protect the employer and employees by ensuring employees are refreshed on HIPAA regulations. This includes being aware of any policy changes that may have occurred since their last training session and staying knowledgeable about cybercrime and ways to protect against it.
- Monthly Awareness Emails: A monthly email about HIPAA security and regulation updates is a communication tool the organization can use to keep employees and other stakeholders informed about the latest developments in HIPAA security and regulation.
In addition to these foundational components, a HIPAA Security Officer can also perform add-on services such as policy creation, disaster recovery consultations, incident response planning, general IT services, vendor management, and more.
- You don’t need to hire a HIPAA Security Officer in-house. At Eide Bailly, we provide outsourced virtual HIPAA Security Officers services for organizations – like yours – to ensure they’re staying compliant with HIPAA regulations.
Making Compliance an Organizational Priority
As a healthcare entity, it is your responsibility to ensure that patient data is safe, secure, and protected against potential threats. Should you fail to comply with HIPAA’s Security Rule, you can face hefty fines, loss of employment, suspension of your medical license, or even jail time.
Seek professional assistance in conducting your SRA. Not only will this alleviate stress, but it will also ensure a more comprehensive analysis of your organization’s cybersecurity measures. Consulting with experienced advisors can help bring awareness to SRA compliance risks and assist your organization in creating a clear path forward.
Prioritizing the security of your patients’ data is critical. We can help you analyze and improve your security posture in alignment with HIPAA compliance and beyond.