Cybersecurity and HIPAA Compliance: A Comprehensive Guide for Healthcare Organizations

Introduction

It should come as no surprise that the healthcare sector is one of the favorite targets for cybercriminals and state-sponsored hackers. In fact, things like stolen medical records are worth far more on the black market than payment cards. The Health Insurance Portability and Accountability Act (HIPAA) was established to protect patient information, however understanding how it applies to cybersecurity is not always straightforward.

Since the inception of HIPAA, the cybersecurity environment has grown more complex. That’s why it’s essential to take every reasonable step to protect patient health information (PHI), both for the sake of your organization and your patients or clients.

Even healthcare organizations that are experts at HIPAA compliance may not be experts at HIPAA cybersecurity compliance. The first step towards formulating a HIPAA IT security policy is to determine which data you have access to, which systems it is stored in, and which controls are in place to protect it while in storage or in transit.

Conducting a HIPAA security risk assessment is one of the most important steps you can take towards ensuring your assets are safe from the myriad of threats out there. In fact, according to the HIPAA Security Rule, covered entities and their business associates are required to conduct a thorough risk analysis. This guide will explore who HIPPA compliance affects, what it entails and why it is imperative that HIPAA IT compliance is a priority for your business.

01

Overview of HIPAA IT Compliance for Healthcare Organizations

The Health Insurance Portability and Accountability Act (HIPAA) was formed to standardize the ways patient health information (PHI) is protected. One of the most important things your IT department should understand is how HIPAA compliance can affect your security procedures. Companies who are found to be out of compliance risk incurring hefty penalties. First, let’s take a step back to understand the history of HIPAA standards and how they have evolved.

HIPAA is a security standard that was introduced in 1996 to protect PHI (patient health information) and ePHI (electronic patient health information). Its purpose is to protect the private health information of a patient from being used and shared without that patient’s consent or knowledge. It’s possible to fail to comply with HIPAA standards even without a data breach occurring. If a data breach did happen, your company can face civil action lawsuits and criminal charges.

Healthcare providers and their IT partners, whether in-house or outsourced, should be knowledgeable about the key provisions of HIPAA. But that’s rarely the case for many healthcare organizations.

Advancements in technology have made it easier for cybercriminals and insider threats to steal, leak, and misuse electronic personal health information (ePHI). If your organization handles ePHI or works with other companies in the healthcare industry, it’s vital that you comply with the regulations of the HIPAA.

What Does HIPAA cover?

HIPAA protects many different forms of patient information. In particular, it highlights administrative, physical, and technical safeguards that covered entities and business associates must implement to ensure the safety of ePHI.

It’s important to pay attention to the entities HIPAA applies to. Covered entities include healthcare providers, medical insurance providers, and healthcare clearinghouses that store and transmit ePHI. Business associates, on the other hand, are organizations or individuals that have access to ePHI while working together with covered entities.

There are three types of safeguards that HIPAA specifies:

Essential Elements to Keep in Mind

One of the most challenging things about HIPAA standards is that they can often be vague when it comes to technical requirements — the legislation is now 25 years old. IT environments were very different back in the 90s, long before cloud and mobile computing was prevalent. Even in the last five years, technology has changed a great deal, and new threats to sensitive information are appearing every day. Because of this, healthcare IT teams, and any third parties they work with, must regularly audit their technology infrastructures to ensure that they meet the HIPAA compliance requirements.

HIPAA Essential Requirements

Here are some essential things that IT teams should actively consider:
Passwords

Passwords play an increasingly important role in protecting data. have long played a central role in protecting digital assets, but they are not enough by themselves. Social engineering scams are far less likely to succeed if your systems are protected behind multiple user verification levels.

Encryption

Encryption is of utmost importance. Unencrypted digital data is highly vulnerable to a breach, even if access to the device or user account storing or transmitting it is protected by multiple user verification layers.  Moreover, all online communication channels, such as instant messaging and telemedicine services, should have full end-to-end encryption enabled.

Disaster Recovery Plan

Every organization needs a disaster recovery plan in case of a breach or loss of data. The sudden and unexpected loss of healthcare data can be severely detrimental to patients. Organizations should backup all their data incrementally at regular intervals, and they should have at least three copies, including a copy stored in an off-site location.

It’s unfortunately the case that most data breaches aren’t discovered until months after they’ve occurred, which is usually long after the stolen data has ended up on the dark web markets. Fortunately, every digital activity leaves an auditable trail of data.

Covered entities and business associates who violate HIPAA regulations can face corrective action plans and financial penalties. The financial penalties are tiered and based on the level of culpability.

To prevent such fines, entities that require HIPAA compliance must ensure they have a solid and continually updated HIPAA compliance program. To be sure that your organization is prepare, begin preparing now. You’ll want to be sure to consider the following best practices to ensure readiness.

As you prepare to evaluate your organization’s readiness, you’ll want to be aware of the terminology surrounding HIPAA compliance, which can often be misleading. You may have heard the term HIPAA compliance certification — let’s take a closer look.
02

What Does the Term HIPAA Compliance Certification Really Mean?

There is no officially mandated HIPAA certification process or formal accreditation, though you may have heard the term HIPAA compliance certification. However, there are ways to implement HIPAA best practices to ensure your organization stays in compliance.

Even though there are no formal certifications, you can and should consider getting a third-party audit to ensure that your privacy and security practices match up with the HIPAA requirements. By informally becoming HIPAA-certified in this manner, you can validate your efforts to earn the trust of your clients or patients.

As digital transformation continues to drive change throughout the healthcare sector, there’s a clearer and greater need than ever for organizations to pay close attention to information security, privacy, and confidentiality. That’s where a third-party auditor can offer an advantage; IT experts are in step with digital changes that could affect your compliance.

Frequently Asked Questions

Healthcare information technology systems are a favorite target for cybercriminals. The sector is often viewed as an easy target with outdated systems and poorly trained employees. Moreover, medical records contain a wealth of valuable information to the point they’re worth much more on the dark web markets than stolen bank cards.

Since its inception in 1996, HIPAA seems to have led to more questions than answers. When HIPAA released its Privacy and Security Rules in 1999, the US Department of Health and Human Services (HHS) was flooded with questions and comments about it. There was much misunderstanding and confusion over the rules’ complexity and how they would operate.

Over the years, the HHS has provided more information about the privacy and security rules, however, questions about the requirements and regulations still remain. Here is a sampling of the most frequently asked questions that IT experts can help with:

The experts at Charles IT can answer these questions and guide you through any confusion about the compliance process.

IT professionals cannot rely on the legislation itself for detailed technical instructions for implementation, as technology is ever evolving. Informed IT experts follow standards like those provided by the National Institute of Standards and Technology (NIST).

HIPAA requires comprehensive documentation, which a third-party can help with. In some cases, the documentation itself serves as a certification. By documenting your compliance efforts, including your training programs and an up-to-date overview of your security and privacy controls, you can prove to HHS auditors, as well as your clients and patients, that you take compliance seriously.

03

Benefits of a HIPAA Risk Assessment

One of the most important features of the HIPAA security rule is that covered entities and business associates must carry out periodic HIPAA risk assessments to determine their vulnerabilities and the threats that face them. Even though HIPAA IT security requirements might be fairly vague, due partly to the fact the law was introduced in 1996, a risk assessment should ideally follow the standards and guidelines laid out by NIST.

The Department of Health and Human Services (HHS) defines a HIPAA risk assessment as

an accurate and thorough analysis of potential risks and vulnerabilities concerning the confidentiality, integrity, and availability of protected health information (PHI), either in physical or digital form. It applies to covered entities, which include healthcare providers, health plan providers, and clearinghouses. On top of that, anyone who handles PHI on behalf of a covered entity must also conduct periodic risk assessments and be fully compliant in the capacity of a business associate.

You can’t protect against what you don’t know, which is why the first and most important part of conducting a HIPAA risk assessment is learning where your vulnerabilities lie.

This is not as simple as it sounds. HIPAA compliance can be very complex, especially given the rapid pace of digital innovation across the healthcare sector. Many employees now work from home and on the move, using their phones to access sensitive information stored in the cloud, while medical facilities are adopting internet-connected smart devices to assist with patient care. Every single one of these systems and devices needs to be properly secured, and given just how many connected devices there now are in the average organization, this can be complicated. That’s why it can help enormously to obtain the help of an experienced third-party auditor to identify the risks and vulnerabilities, and remediate accordingly.

What should you expect from a HIPAA Security Risk Assessment?

A HIPAA Security Risk Assessment will closely examine how your controls and procedures align with established standards.

The US Department of Health and Human Services (HHS), that oversees HIPAA compliance, recommends following the globally recognized SP 800-30 standard. Published and regularly updated by the National Institute of Standards and Technology (NIST), the standard details all the necessary steps you should take to ensure your assets are protected.

A HIPAA Security Risk Assessment should incorporate the following:
Determine the scope of the assessment
Identify potential network vulnerabilities
Quantifying the potential impact of a breach
Finalize your risk assessment documentation
Testing, reviewing and updating your security
Without a thorough risk analysis, vulnerabilities can go unnoticed and worsen over time, which can put patient information in jeopardy. Also, organizations that have not performed a risk analysis can face serious financial penalties. This is especially problematic when you consider that many violations are unintentional.

Unintentional HIPAA Violations to Avoid

HIPAA’S Breach Notification Rule requires covered entities and their business associates to notify patients in case their PHI is impermissibly disclosed or used. However, not all impermissible disclosure or use of PHI qualifies as a reportable breach.

They must investigate whether the accidental release of PHI should be reported to the Department of Health and Human Services of the Office of Civil Rights (OCR), and they must do so within the prescribed period. Note that not all breach incidents should be reported to the OCR.

Ultimately, HIPAA violations may still occur for various reasons, such as due to staff’s lack of knowledge or simply because some people aren’t aware that they’re committing a violation. Here are examples of unintentional HIPAA violations for which the lack of guidelines on patient data protection and workplace etiquette could prove detrimental:

How Much Can Violations Cost Your Business?

HIPAA violations are divided into four categories depending on their severity, the length of time elapsed before corrective actions were taken, or if there are multiple areas of noncompliance.

These violations can cost up to several millions of dollars or may be only a few thousand dollars. In addition to paying fines, healthcare professionals can also face criminal charges for stealing ePHI for financial gain and wrongful exposure of ePHI with the intent to cause harm. The criminal penalties for HIPAA violations are categorized into three tiers, and violators are prosecuted by the Department of Justice.

04

Getting Help with HIPAA Compliance

If you are looking for a HIPAA compliance expert, you’ll no doubt discover that there are plenty of options in the market. However, finding the right provider is crucial. It’s essential to choose one that can keep up with your organization’s unique demands and help you streamline IT cybersecurity processes, prevent data breaches, and avoid sanctions. As you search for the right HIPAA IT support, don’t forget to keep these things in mind.

It may seem like most of the responsibilities regarding healthcare IT fall on the shoulders of the IT experts, but upholding HIPAA and/or state standards of patient data protection is essentially a shared responsibility. This is why you must choose a HIPAA compliance expert that is easy to collaborate with. Work with experts who can explain concepts in a way that your healthcare staff can understand and follow.

One of the most important things to understand is making sure you are on a HIPAA compliant cloud.

What is a HIPAA Compliant Cloud?
To be sure your organization is in compliance, you’ll want to be sure you are taking all the right precautions, and one crucial thing to evaluate is your cloud. It’s hard to imagine any modern healthcare operator not making use out of cloud storage these days. The benefits of being accessible from any device in any location cannot be understated, but easier accessibility to legitimate employees and patients might also mean making things easier for cybercriminals too. Fortunately, there are many ways to mitigate these risks without having to sacrifice usability and accessibility.

1. Cloud Storage

When HIPAA became enshrined in federal law in 1996, cloud storage was practically unheard of, and even the internet itself was very much a novelty compared to what it is today. As such, there is no such thing as a HIPAA-compliant cloud in terms of what’s defined by law. However, there are HIPAA-compliant online storage services, such as Google Cloud for Business, which thousands of healthcare providers and their business associates across the country use every day. That said, there are certain steps you need to take to ensure compliance whenever you’re adopting any new technology in your workplace – and cloud storage is no exception.

2. Backup and Disaster Recovery

Backup and disaster recovery should be incorporated into cloud migration strategies to ensure compliance with HIPAA’s rules on data integrity and accessibility. Ideally, you should have at least three off-site backups of your data, updated automatically and in real time. There is also still a strong case for storing a copy of your patient records and other data locally, for easy access in cases where you lose your internet connection.

3. Compliance Training

No cloud-hosted storage service can be truly HIPAA-compliant by itself. Compliance depends primarily on the actions of people, although there are certain technical measures that need to be applied too, such as data encryption. A HIPAA-compliant storage service should provide the functions necessary to protect the integrity, confidentiality, privacy, and security of data, but it is up to the user to apply them. In other words, the service providers typically rely on a shared responsibility model, but it is essential that you understand who is responsible for what. This is just one reason why training is so important.

HIPAA Compliance Training

One often overlooked element of HIPAA compliance is training. Any person or institution with access to PHI is required by law to undergo HIPAA compliance training to ensure the security and confidentiality of PHI. In developing your healthcare organization’s HIPAA compliance training program, include critical points such as how to keep covered entities and business associates up to date with any changes in HIPAA regulations and requirements.

PHI contains confidential information that cybercriminals or malicious insiders can use to commit identity theft, fraud, extortion, or sell on the dark web. Unfortunately, many healthcare professionals and third-party providers fail to realize the many ways they may be committing a HIPAA violation such as by talking to someone out of their organization about a patient or posting any work-related content on social media.

This is why healthcare organizations must do everything they can to ensure that their staff are well-trained on how to handle PHI, specifically how, when, and where PHI should be used and disclosed. By having a well-developed compliance training program, your organization can fulfill the requirements of the law and ensure a smooth-running healthcare business.

The shift to remote work due to the COVID-19 pandemic has resulted in operational and compliance-related difficulties. And although the OCR has temporarily suspended penalties for noncompliance with HIPAA rules regarding telehealth communications, compliance difficulties persist. Moreover, hospitals and small- and medium-sized healthcare practices remain an attractive target for hackers.

Every employee needs to undergo HIPAA security awareness training to prevent violations. They must be trained on basic cybersecurity awareness topics, including identifying phishing scams, creating strong passwords, observing physical security measures, and dealing with a potential breach, to name a few.

Even with the best training, it’s important to remember that HIPAA compliance is an ongoing endeavor.

05

Staying HIPAA Compliant Today and Beyond

Today’s climate brings specific new challenges to remaining HIPAA compliant. Telehealth is the practice of using electronic communication and information technology to deliver health-related information, education, and care services. Healthcare practitioners have been using telehealth technology for years, but the recent rapid increase in usage can be attributed to the pandemic.

In fact, the number of patients using telehealth services rose by more than 11,718% between March and April 2020.

But while the HIPAA rules are clear, the Notification of Enforcement Discretion for Telehealth Remote Communications issued by the Office for Civil Rights (OCR) in March 2020 complicates matters. This notice stipulates that if a healthcare provider is offering telehealth services in good faith, the OCR will not impose penalties for entities that may violate HIPAA’s privacy, security, and breach notification rules

While the increasing digitization of the healthcare sector introduces massive and far-reaching benefits to patient care and public health overall, there are still plenty of challenges along the path to digital transformation. Among these are the pervasive threats of data breaches, where healthcare is a favorite target for cybercriminals and state-sponsored hackers alike. Assuring privacy and security in the digital age is one of the biggest HIPAA compliance challenges of all. Here are some of the most common industry trends to keep in mind:

Considering all that HIPAA compliance encompasses, it’s good to evaluate where you stand.
How Does Your Business Measure Up?
As the digital transformation of healthcare continues to gain ground, adherence to the health insurance portability and accountability act (HIPAA) is more important than ever. The threats are real, and healthcare is a top target for attackers, so it’s never too soon to reevaluate your compliance posture. Here are the main elements of your security program that you’ll need to evaluate to maintain compliance:

Technical Safeguards

Technical safeguards refer to the technical controls used to protect electronic protected health information (ePHI). 

Physical Safeguards

With today’s cloud-based and virtualized computing infrastructures, it is often difficult to figure out exactly where your data physically resides. However, you still need to know where your data lives in order to ensure the systems storing it are secure from physical theft or damage.

Administrative Safeguards

Administrative safeguards refer to the various policies and procedures implemented to ensure the safety and privacy of ePHI. These require oversight from a dedicated security and privacy officer, who will also be responsible for enforcing the correct conduct of their workforces.

Every organization within the healthcare sector, including their suppliers, is legally obliged to take every reasonable step to safeguard the confidentiality, security, and integrity of protected health information (PHI) according to the health insurance portability and accountability act.

While the need for patient privacy should be obvious, implementing the right administrative, technical, and physical controls isn’t always easy. After all, healthcare IT is changing all the time, and no two technology or operational environments look the same. This is why HIPAA is intentionally vague and broad in scope. As such, covered entities and business associates should adhere to the latest standards of information security and privacy and reevaluate their compliance on a regular basis.

Organizations now need to shift their attention towards protecting remote workers and facilitating telemedicine, while still adhering to the demands of compliance as best they can.

HIPAA Moving Forward
Here are some areas that companies can focus on to ensure HIPAA compliance in this new era:
Securing remote workforces
Protecting connected devices
Facilitating safe telemedicine
Adapting to new security threats
Training and educating employees
New and Proposed HIPAA Regulations: What to Expect

It’s been several years since the Health Insurance Portability and Accountability Act of 1996 (HIPAA) was last updated, with the most recent changes being those pertaining to the Omnibus Rule in 2013.

But since then, various issues have arisen alongside changes in working practices and the advancement of technology. Now, we are at a point when steps must be taken to update HIPAA regulations so these issues can be addressed more effectively.

The Office for Civil Rights (OCR) issued a Notice of Proposed Rulemaking in December 2020 outlining new and proposed changes to the HIPAA regulations.

The HHS can modify HIPAA regulations that are no longer viable because of new technology and practices or those that are proving to be problematic.

To do so, the HHS first considers comments and suggestions from healthcare providers before submitting a notice of proposed rulemaking. This is followed by a 60-day comment period in which covered entities and stakeholders provide their feedback. Only after careful consideration will a final version of a rule be issued. Healthcare institutions are then given time to make the necessary adjustments to their security policies before the new rule is released and becomes mandatory.

To ensure your organization complies with HIPAA standards today and in the future, you’ll want to partner with a reliable managed IT services provider.

Conclusion

As cybercriminal’s methods continually evolve, so must your IT security plan. Working with an organization that is experienced with HIPAA IT compliance is your best defense against the increasing and ongoing threats.

Healthcare practices face increasingly greater pressure to provide excellent quality care and comply with the stringent data privacy rules of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The good news is that your healthcare practice can avoid violating rules and having to pay fines by consulting with an IT service provider who is well versed in HIPAA compliance.

A HIPAA security risk assessment is an essential component of achieving and maintaining full compliance with the federal law. Every covered entity and business associate should conduct periodic risk assessments, including whenever they make significant changes to operational or technology infrastructure.

To ensure your organization complies with HIPAA standards, partner with a reliable managed IT services provider like Charles IT. Our HIPAA security risk assessment will pinpoint compliance risks in your infrastructure and provide you with options on how to address them. Call us today to learn more.

Save it for later. Download the PDF version of this ebook!