A Simplified Regulatory Checklist for Health Care Organizations
Healthcare is one of the most regulated industries in the U.S. for good reason. It accounts for roughly one-sixth of GDP, and its impact is felt among every citizen who lives and breathes.
What’s more, healthcare is also regularly under pressure from cyberattacks. It’s a frequent target of ransomware, with NTT Security finding it one of four industries collectively accounting for over three-fourths of such attacks. Just last year the high-profile WannaCry ransomware attacks brought down healthcare IT systems worldwide.
The Requirements and Administration of HIPAA and HITECH
For cybersecurity, the most germane piece of healthcare legislation is the Health Insurance Portability and Accountability Act of 1996 (HIPAA), although other guidelines, such as the Health Information Technology for Economic and Clinical Health Act (HITECH) and even the Payment Card Industry Data Security Standard (PCI DSS), are applicable as well. Let’s look at HIPAA first.
HIPAA has multiple titles (sections). However, the second–mandating secure electronic access to certain electronic protected health information (ePHI), along with compliance with privacy regulations-is the centerpiece of modern HIPAA compliance.
Under HIPAA’s administrative rules for enforcing Title II, health plans, healthcare providers and healthcare clearinghouses are all subject to:
- Security Rule: HIPAA-covered entities must ensure the confidentiality, integrity and availability of any ePHI they create, maintain, transmit or receive. They must also identify and defend against anticipated threats to the ePHI, protect against impermissible uses and disclosures and make sure their workforces know their HIPAA-related responsibilities.
- Privacy Rule: This is a set of national standards for protecting patient privacy. Like the Security Rule, it requires safe administration of specific ePHI. It also sets limits on how patient information may be disclosed, empowers individuals to understand its use, and establishes accountability and penalties for violators.
What do HIPAA mandates mean for day-to-day cybersecurity? While its rules spell out many responsibilities, it didn’t have much teeth until HITECH passed in 2009.
HITECH stiffened penalties for violating existing safety and privacy regulations for ePHI. It also established a protocol for reporting data breaches: a report must be filed with affected parties within 60 days of an incident, plus the Department of Health and Human Services (HHS) must be notified if it affects more than 500 people (this provision is sometimes called the Breach Notification Rule). The upshot is more auditing, logging and reporting, not to mention better detection, to minimize data breach damage.
The complexity of HIPAA/HITECH can seem overwhelming to health organizations already strapped as far as security personnel and budgets. To simplify strategy and compliance, we’ve highlighted some key security operation centers (SOC) tasks to focus on with your managed service provider:
Access, Administrative and Physical Controls
HIPAA requires technical safeguards that control access to ePHI. For example, covered entities must establish access rules for authorized users and enforce them through measures such as automatic logoffs and access control lists, which may be enhanced with role-based and contextual sensitivities. HHS has emphasized the necessity of both administrative and physical controls (e.g., of servers housing data) in HIPAA compliance.
Establishing compliant controls is complicated when working with cloud service providers (CSPs) and/or remote employees. Just because ePHI is being managed elsewhere doesn’t mean the health organization is off the hook for outside non-compliance of HIPAA rules.
Business Associate Agreements, Service-Level Agreements and Vendor Management
CSPs are generally considered business associates to which the core HIPAA regulations on security, privacy and data breach notifications all apply. Accordingly, legally binding business associate agreements (BAAs) should be established between customers and CSPs to ensure full HIPAA compliance by all parties.
Additional service-level agreements that align with the BAAs are usually created to cover specifics, such as:
- Responsible parties for each security function
- The typical availability and reliability of the system
- Any backup and recovery mechanisms in place
CSP and other vendors should be carefully vetted before gaining access to ePHI. Some recent healthcare breaches, such as one involving a dermatology group in Alabama, have been precipitated by critical vulnerabilities in third-party cloud vendors.
Logging and Auditing
The combined requirements of HIPAA/HITECH make comprehensive and ongoing review of systems logs essential for all covered entities. More specifically, these pieces of legislation require attention to:
- Login attempts and associated discrepancies
- Audit controls on all systems handling ePHI
- Procedures for regular review of logs and reports
Logs must be retained for six years after their creation. A SOC can simplify the process of collecting, reviewing and retaining these logs to comply with all statutes.
As of early 2018, encryption is not technically required under the Security Rule. Still, it is an “addressable implementation specification,” and should be instituted if a risk assessment suggests it as a key safeguard in the compliance management of ePHI. Many covered entities and their business associates likely need to encrypt information for maximum protection.
Note that encryption by CSPs or business associates not in possession of encryption keys does not exempt them from the scope of HIPAA and its obligations. HHS has also stressed that encryption alone is not a sufficient security or compliance measure, since it can’t always ensure integrity, availability of physical safety of ePHI.
Meet Regulations and More with SOC-as-a-Service
Marking off all the boxes on your HIPAA/HITECH checklist is difficult without a modern SOC in place to streamline compliance. For many companies, however, SOCs are too expensive and demanding to implement. That’s what makes SOC-as-a-service so valuable.
Combining functions such as managed detection and response and ongoing scans with 24/7/365 monitoring by security experts, SOC-as-a-service is the perfect fusion of expertise and technology. Moreover, it’s affordable: Instead of rolling out all the infrastructure for a SIEM on your own and being responsible for its maintenance and modernization, everything is included in a predictable ongoing subscription. Read more here.