HIPAA regulations have pulled the rug out from under healthcare organizations across the country, exposing some major cracks in the foundation of healthcare data security processes.
Protecting patient data in a world of electronic health records and mobile workers was never going to be a walk in the park. However, meeting the complex (and often vague) requirements of HIPAA can seem like an insurmountable challenge, with information flowing across numerous interrelated and interdependent healthcare institutions, service providers, insurers and patients. Every day data moves between doctors and nurses inside the hospital, outsourced diagnostic services, pharmacies, labs, billing services, insurers, business associates, community nurses, home healthcare providers, rehab centers, clinics … the list goes on. Electronic patient information is communicated via LAN, WAN and through all forms of wireless devices, from laptops to smartphones to specialized handheld medical information devices.
HIPAA makes you accountable for all of this. Daunting, isn't it?
Penalties for non-compliance can be devastating to an organization – we have all seen the headlines. In cases of "willful neglect," a penalty can be at least $50,000 per violation, up to a total of $1.5 million in a calendar year. Other breach-related costs include fees for discovery and containment, investigative costs, remediation expenses, legal fees, loss of customer confidence, lost sales and revenue, reputational damage, job loss, and so on. Compliance is a serious responsibility on many levels.
In this new punitive landscape, where should a healthcare organization begin?
Conducting a security risk assessment (SRA) is a good place to start. For one, it's a requirement of the HIPAA Security Rule and a key component in breach notification requirements. HIPAA requires organizations that handle protected health information to regularly review the administrative, physical and technical safeguards they have in place to protect the security of the information and identify potential weaknesses in their security policies, processes and systems.
In fact, the Department of Health and Human Services released an online HIPAA SRA tool to help healthcare providers conduct risk assessments of their organizations to identify administrative, physical or technical security gaps. While the tool can be a strong compliance benchmark, some elements are complex, and there's a fear that some questions could be interpreted subjectively, leaving an organization at risk of inadvertent non-compliance.
Whether you choose to use the HIPAA SRA tool, a security risk assessment is important. Each individual organization will have a unique set of requirements, processes and partner relationships to consider.
A layered approach to compliance
According to the HHS, "Security is not a one-time project, but rather an ongoing, dynamic process." Healthcare IT must constantly review and adapt security processes and technologies to ensure protection in an ever-evolving threat landscape. Cybercriminals today are working as hard to build ladders as IT teams are working to build walls.
Covered entities and business partners must consider several factors, including:
- Identifying information that is considered PHI under statute;
- Protecting information from exposure while still providing the highest level of patient care;
- Extending information access and policy enforcement beyond the organization to partners, service providers and suppliers that support the healthcare provider;
- Selecting and deploying security controls that meet HIPAA requirements;
- Regularly auditing the status of those controls to ensure continuous protection of PHI and the EHR and ongoing compliance; and
- Developing a breach response plan.
HIPAA regulations do not mandate specific security technologies. Instead, they outline a set of principles for guiding technology choices so that each healthcare organization has the flexibility to develop a custom solution to suit its unique requirements.
The custom solution should always take a layered approach – layering security technologies means that if one technology is compromised or breached, another layer of protection is in place to compensate. For example, encryption on the endpoint is a key security protocol and is one of the criteria for Safe Harbor.
But can healthcare organizations afford to put all their eggs in the encryption basket? Last year, 78 percent of breached healthcare records were attributed to lost or stolen endpoints – many of which were unencrypted – either accidentally or knowingly.
A persistent endpoint solution is the perfect complement to encryption, as it can help healthcare organizations ensure and prove compliance with key HIPAA security regulations. If a healthcare provider's IT department has a persistent connection to all managed devices – on and off the network – they can remain in control, even if the device is in the hands of an unauthorized user.
Some organizations, such as Cigna HealthSpring, extend their persistent endpoint solutions to their partners to ensure that they are controlling the flow of patient information throughout its lifecycle.
Comprehensive security solutions offer the flexibility to take an adaptive approach to lifecycle security, risk assessment and risk response measures. Some security solutions even offer customized healthcare investigations services to help IT teams respond to a data breach and determine if and when breach notifications should occur.
Take the time to conduct a security risk assessment and choose technology solutions that are persistent, adaptive and customizable to give you the best possible chance to defend against cybercriminals and protect against HIPAA non-compliance.
As legal counsel and HIPAA Compliance Officer to the Investigations Section and Recovery Services Department of Absolute Software, Stephen Treglia oversees the worldwide department staff of more than 40 investigators and data analysts. He recently concluded a 30-year career as a prosecutor in New York, having created and supervised one of the world's first computer crime units from 1997-2010. Stephen is a renowned nationwide lecturer, teacher and writer on a variety of legal topics.
