It has grown more challenging to protect patient privacy and secure sensitive data under HIPAA (Health Insurance Portability and Accountability Act) as the volume and persistence of cyber attacks have increased in recent years. Healthcare institutions often have vast databases of sensitive information such as credentials and credit card data that cyber criminals seek to monetize and sell on the dark web. Threat actors use advanced threats like Zero-day attacks to target healthcare organizations, using ransomware like Emotet and Locky to spread and infect other systems. HIPAA outlines requirements for healthcare organizations and their supply chain partners to follow in areas such as risk management, security incident handling and investigation, log monitoring, encryption, and security awareness training. These ever-increasing HIPAA mandates create challenges for healthcare providers, health plans, and healthcare clearing houses to stay current and compliant with healthcare mandates.
HIPAA Compliance Considerations
The 700,000 + healthcare provider and payor organizations in the United States face a myriad of compliance and security mandates that represent a sizable target for threat actors to exploit. It is crucial for IT Pros to understand the following compliance facts and security criteria if they plan to, or already support, healthcare organizations that are covered by the privacy and cybersecurity aspects of HIPAA:
- Understand the definition of PHI
Penalties are assessed for leaks of Protected Health Information (PHI). PHI/ePHI includes any information that identifies an individual and relates to at least one of the following:
- The individual’s past, present, or future physical or mental health
- The provision of healthcare to the individual
- The past, present, and future payment for healthcare
Disclosure of PHI/ePHI due to careless mistakes or willful neglect are violations of HIPAA compliance regulations.
- Security is everyone’s job
Everyone across the healthcare ecosystem is responsible for safeguarding PHI/ePHI, from employees, executives, and clinicians, to supply chain partners. Organizations in the healthcare ecosystem such as attorneys, data service providers, billing agents, and Managed Security Service Providers (MSSPs) are also responsible for maintaining healthcare privacy and security. These healthcare supply chain partners may have access to confidential healthcare information; HIPAA governs data leakage whether intentional or inadvertent. Security awareness training can also educate employees and executives alike to the importance of data security and ever-changing cybersecurity threats. In addition, a HIPAA best practice for business associates is to limit access to PHI data only to those with a specific “need to know” to reduce the attack surface and propagation of sensitive healthcare and patient information.
- Insider threats constitute a big risk
Healthcare is the only industry where insider threats outnumber external threats, according to the Verizon Data Breach Investigations Report 2019. An insider threat is an organizational risk that flows from employees, former employees, contractors, and supply chain partners. Because insiders often have access to sensitive data, have direct knowledge about computer systems, and know where security gaps may exist, these insider threats are considered some of the most challenging to detect and mitigate. A Security Information and Event Management (SIEM) solution that includes User and Entity Behavior Analytics (UEBA) enables anomalous behavior detection against these insidious insider threats.
- A SIEM can simplify HIPAA compliance
HIPAA compliance need not be difficult and time-consuming. System logs provide evidence of anomalous events but are co-mingled with millions of other routine audit logs. A SIEM solution centralizes collection, real-time analysis, and storage of logs that can detect and pinpoint advanced threats. IT organizations large and small can add SIEM software or even a managed SIEM solution to enhance compliance reporting and better prepare for an audit. EventTracker SIEM is a world-class SIEM that includes pre-defined reports for compliance frameworks including HIPAA and many other frameworks. In addition, the absence of SIEM technology has been regularly shown as a glaring weakness in data breaches post-mortem.
- The cost of non-compliance can be sizable
In 2018, the Office for Civil Rights (OCR) within the U.S. Department of Health and Human Services (HHS) issued 11 penalties for HIPPA non-compliance totaling over $23 million. They assessed fines for both data breaches as well as the lack of required Business Agreements (BAs) with supply chain partners. The average fine totaled $500,000, which is a vast sum to a small and medium-sized healthcare providers or associated businesses. In addition to the financial penalties, other impacts include lost internal productivity, negative publicity, and a decrease in patient loyalty. The OCR is using these penalties to send a message to the entire healthcare community that healthcare data and privacy gaps are typically preventable.
- HIPAA compliance requires people, processes, and technology
The first step in HIPAA compliance is to understand an organization’s unique risks and how these risks can be exploited, as well as remediated.A holistic approach is needed to assess the threats specific to the healthcare industry. In addition to security technology, human expertise and processes are crucial to monitor network systems and create actionable information regarding routine events and suspicious activities worthy of further investigation. Many healthcare organizations lack the IT and security staff and expertise to detect and stop the industry’s data breaches. For example, EventTracker SIEMphonic is a co-managed security solution supported by an ISO certified 24/7 Security Operations Center (SOC), that delivers and orchestrates all the critical security capabilities needed to predict, prevent, detect, and respond to security incidents.
- Compliance is the starting point
Although HIPAA compliance can be complicated and necessitates time and planning to implement, it remains your starting point. Just as threat actors are evolving, cybersecurity and data privacy practices must continue to adapt and improve. Modern threats require modern threat mitigation technology and practices. IT and security pro’s alike must stay informed and educated about current and considered compliance mandates and enhancements such as the possible HIPAA changes that the US Health and Human Services (HHS) department announced for 2019 with implementation anticipated in 2020.
Defend Against Healthcare Threats
EventTracker SIEM provides solutions to help both healthcare providers and payers improve security, simplify compliance, and protect sensitive patient data. Ensure your organization has the people, processes, and technology to remain vigilant to the healthcare sector’s ever-increasing threats.