HIPAA-regulated entities must ensure that protected health information (PHI) is safeguarded against unauthorized access, but many covered entities and business associates do not know how to secure healthcare data properly and leave sensitive information exposed.

The HIPAA Security Rule

The HIPAA Security Rule established national standards to protect individuals’ electronic personal health information (ePHI) that is created, received, used, or maintained by HIPAA-covered entities and their business associates. The Security Rule requires appropriate administrative, physical, and technical safeguards to be implemented to ensure the confidentiality, integrity, and availability of ePHI. All regulated entities must assess security risks throughout their organziation and implement a range of different safeguards to protect against unauthorized ePHI access, and ensure all risks are reduced to a low and acceptable level.

How to Protect Healthcare Data and Comply with HIPAA

The HIPAA Security Rule was developed to be flexible to ensure that it applies to covered entities of all types and sizes and includes required implementation specifications that must be implemented by all regulated entities, and addressable implementation specifications, which require an assessment to determine if the specification is reasonable and appropriate. If not, the Security Rule permits an alternative mechanism to be implemented to meet the standard addressed by that specification.

Administrative Safeguards

Administrative safeguards under HIPAA are defined as “administrative actions, and policies and procedures, to manage the selection, development, implementation, and maintenance of security measures to protect electronic protected health information and to manage the conduct of the covered entity’s or business associate’s workforce in relation to the protection of that information.”

Administrative safeguards include security management processes to prevent, detect, contain, and correct security violations. These include a comprehensive, organization-wide risk analysis to identify all risks and vulnerabilities to ePHI, risk management processes to reduce risks and vulnerabilities to a low and acceptable level, a sanctions policy, and information system activity reviews.

Staff members must be assigned responsibility for security, policies and procedures must be implemented to ensure workforce security, and a security awareness and training program is required for all members of the workforce. Administrative safeguards also include authorization, supervision, information access management, and contingency planning.

Physical Safeguards

HIPAA defines physical safeguards as “physical measures, policies, and procedures to protect a covered entity’s or business associate’s electronic information systems and related buildings and equipment, from natural and environmental hazards, and unauthorized intrusion.”

Physical safeguards include facility access controls to restrict access to physical PHI and electronic systems where ePHI is stored, contingency operations, facility security plans, access controls and validation procedures, and maintenance records.

Physical safeguards are required for workstation use and workstation security, with policies and procedures implemented to ensure that job functions can be performed in a secure way, prevent inappropriate use of computers, and restrict access to authorized users. Device and media controls should be implemented that govern the receipt and removal of hardware and electronic media that contain ePHI into and out of a facility, and the movement of the devices within the facility.

Technical Safeguards

HIPAA defines technical safeguards “the technology and the policy and procedures for its use that protect electronic protected health information and control access to it.” Technical safeguards include hardware, software, and other technology that protects and limits access to ePHI through access controls, audit controls, integrity controls, authentication, and transmission security.

Access controls are required to restrict access to ePHI to authorized individuals only, audit controls are necessary for monitoring activity on systems containing ePHI, integrity controls prevent the improper alteration or destruction of ePHI, and transmission security ensures that ePHI is protected when it is transmitted over an electronic network.

The HIPAA Security Rule does not specify the specific technologies that should be used to secure healthcare data and restrict access. HIPAA-regulated entities have the flexibility to implement security measures to comply with each standard and achieve its objectives. The HHS Security Series provides guidance on the administrative safeguards, physical safeguards, and the technical safeguards of the HIPAA Security Rule.

The Insider Threat Problem in Healthcare

Security Rule compliance requires ePHI to be safeguarded to ensure the confidentiality, integrity, and availability of ePHI and many of the implementation specifications are concerned with preventing access to ePHI by unauthorized third parties; however, threats can originate from within an organziation. Employees, contractors, interns, and other staff members can be just as dangerous as outside actors, in fact some of the most damaging incidents have been caused by insiders.

According to Verizon’s Data Breach Investigations Report (DBIR), insider incidents are on the rise. For several years, healthcare was the only industry where insiders caused more breaches than external actors. While the situation is improving, the 2023 DBIR indicates 35% of healthcare data breaches were caused by insiders.

Insider threats take many forms and include careless and negligent workers, where there is no conscious decision to act inappropriately. Disgruntled employees pose a significant threat and perform deliberate actions to cause harm to their organziation. Malicious insiders abuse their privileges for personal or financial gain, and threat actors often recruit or coerce individuals into stealing data or performing other actions such as installing malware. Insider threats are one of the biggest security challenges to address in healthcare. Insiders usually have legitimate access to ePHI and knowledge of internal systems and data locations, and their actions can be difficult to identify as cybersecurity solutions such as intrusion detection systems are primarily focused on detecting and blocking external threats.

Securing healthcare data against insider threats and detecting insider threats promptly requires a combination of measures including security policies, screening of new hires, user activity monitoring, logging, auditing, incident detection and response, user and entity behavior analytics, and employee education. Malicious insider threats are far less common than negligent and careless employees, which often cause the most harm. Accidental data leaks and employee errors are by far the largest risk and cause the most data breaches. Oftentimes, these incidents are the result of unclear security policies, employees’ lack of awareness of policies, and a failure to provide security awareness training. Improving education is vital in combatting these incidents. Security policies should be easy to understand, security awareness training should be provided regularly, employees must be made aware of the HIPAA Rules and the sanctions policy for violations.

Risk can be reduced through administrative safeguards, such as ensuring employees have appropriate access rights to ePHI and systems containing ePHI. Audits should be performed of access rights to check who has access to data and systems, and to ensure that the rights are appropriate. Detecting incident incidents quickly is vital. One of the reasons why insider breaches are so harmful is they often go undetected for long periods. Having the right software in place is critical in this regard. For instance, Safetica offers a software solution for healthcare organizations that can help with the discovery of ePHI, restrict whether data can be shared with third parties, control and monitor employee access to ePHI, and rapidly detect unauthorized access and employee errors that may expose ePHI, providing insider threat and data leak protection.  Safetica can limit file operations with personal information and ePHI, such as uploading, copying, printing, and even taking screenshots, all of which feature in the list of common HIPAA violations. Without systems in place to manage ePHI, unauthorised access to medical records can persist for years without detection. According to Safetica CTO Zbyněk Sopuch, “One of the key use cases of utilising data loss prevention tools like Safetica in healthcare settings is to ensure that access to sensitive ePHI is given only to the right personnel by monitoring and controlling the flow of data, preventing unauthorised access while safeguarding sensitive information and staying in compliance with HIPAA regulations.” Systems like Safetica provide immediate alerts for data security incidents. It has been found that real time alerts, which has been  proven to reduce repeat offences by staff by 95%. 

Securing healthcare data is complex and involves implementing robust encryption protocols, strict access controls, regular security audits, up-to-date software patching, comprehensive staff training in data handling and privacy regulations, utilizing strong authentication methods, employing intrusion detection systems, and maintaining physical security measures to prevent unauthorized access or breaches and ensure the confidentiality, integrity, and availability of sensitive patient information.

The post How to Secure Healthcare Data appeared first on HIPAA Journal.