How to Reach Compliance with HIPAA
The Security Rule doesn’t dictate which security measures are used, as long as they are effective. However, they do require three standards of implementation also known as safeguards:
- Administrative: A risk analysis is required to determine what security measures are needed for your organization. This should be an ongoing process.
- Physical: This refers to the security of the offices where e-PHI may be stored. The security measures must include facility access and control measures and workstation and device security.
- Technical: Measures, like firewalls, encryption, and data backup, are used to keep e-PHI secure and the safeguards must consist of access controls, audit controls, integrity controls, and transmission security.
According to the 2022 SonicWall Cyber Threat Report, healthcare continued a large spike in malware in 2021, at 121%. While the largest jump in IoT malware attacks belonged to healthcare, which saw a 71% year-over-year increase.
To shed light on the significance malware can carry, it’s important to look at how recent breaches could’ve been circumvented by abiding to the HIPAA rules and safeguards.
In May 2021, more than 205,000 patients of RMCHCS were notified of attempted data extortion that forced the hospital into electronic health record (HER) downtime. RMCHCS fell victim to an attack launched by Conti, a ransomware hacking group that actively targeted the healthcare industry throughout 2020.
It was later determined that Conti actors exfiltrated data, including social security numbers, passports, and patients’ protected health information (PHI), from the system for approximately two weeks from January 21 to February 5. RMCHCS reported they notified law enforcement immediately, but they didn’t start sending out notices until the end of April, which is cause for concern.
Since this was a ransomware attack, there is a clear lack of technical safeguards and regular risk assessments. While RMCHCS did notify patients of the breach, the lack of timeliness further compromises personal security and the integrity of the e-PHI. Patients should have been notified in a timely manner so they could close or alter their charts, update online portal or banking information, or request a new passport.
This Hartland, Wisconsin mailing and printing vendor fell victim to a ransomware attack on April 28, 2022. Over 2.6 million individuals over at least 34 organizations were impacted by the breach.
It was discovered that OneTouchPoint’s servers were compromised just a single day earlier, leaving sensitive data at risk. Over six weeks later, OneTouchPoint disclosed that the files contained customer data alongside sensitive information of current and former employees. This included names and addresses of customers and employees, subscriber, and healthcare member IDs, as well as diagnoses and medications of clients. This has led many of OneTouchPoint’s customers to offer credit monitoring and identity theft protection services to their members at their own cost.
At least one class action lawsuit has been filed against OneTouchPoint over the data breach.
Why this matters to you
As discussed, the CISO plays a crucial role in ensuring your organization meets the HIPAA requirements. The following best practices can help you achieve compliance.
1. Understand the HIPAA Rules
The HIPAA Privacy Rule dictates how PHI can be used and disclosed in the healthcare sector. An overview of the rule gives you insight into patients’ rights, including the right to access their medical records and to request corrections.
The HIPAA Security Rule provides you with the technical, physical, and administrative safeguards needed to protect customer PHI.
The HIPAA Breach Notification Rule requires that patients, the media, and the US Department of Health and Human Services (HHS) be notified if a data breach occurs.
2. Conduct a Risk Assessment
This involves identifying all the PHI your organization collects, processes, and stores. Your risk assessment should also identify your organization’s vulnerabilities that could put PHI at risk. This includes known internal or external cyber threats, theft or loss of physical devices, and your organization’s likelihood of an attack based on your Cyber Risk Index.
3. Implement Policies and Procedures
Based on your risk assessment results, develop and implement policies and procedures that address each risk identified. This includes areas such as access control, data backup and recovery, incident response, and security awareness training for employees. Review and update these policies and procedures regularly to ensure they remain relevant.
4. Train Employees
Ensure your employees are updated on your organization’s policies and procedures. All employees who handle PHI must be aware of how to safeguard PHI and recognize the consequences of non-compliance. Regular security awareness training is necessary to ensure employees stay current with the latest threats and are familiar with best practices for protecting PHI.
5. Monitor and Audit
Frequently review your organization’s security measures, undergo penetration testing, and fulfil vulnerability assessments. This will keep you and your teams up to speed on emerging risks or threats to PHI and how to properly handle a breach. Regular auditing is key to staying compliant and prepared.
Consistent compliance with Trend Micro Cloud One™ – Conformity
Conformity helps organizations understand their level of HIPAA compliance. This is due to to real-time, automated service scans that are run against hundreds of compliance, best practice, and configuration checks. With an endless combination of filters, you receive a complete view of the security and compliance baseline of your infrastructure. If you are alerted of a risky misconfiguration, Conformity provides you with step-by-step guides to fix it yourself, or you can use auto-remediation.
To understand how compliant your cloud environment is to HIPAA, start a free 30-day trial.
Next steps
Continue reading the compliance series:
Read More HERE
