Hungry Hungry HIPAA: Dealing with an Influx in Noncompliance Fines
As if health care organizations didn’t have enough IT woes on their hands, courtesy of ransomware and other cyberthreats, HIPAA compliance breaches are on the rise. According to Diagnostic Imaging contributor Rachel V. Rose, there were at least three examples of notable compliance breaches in April, one of which resulted in a $400,000 fine.
Technically all of the instances referenced above occurred prior to 2016, which indicates the public is only now witnessing the full extent of legal fallout incurred by the spike in health care-related cybercrime over the past few years. This raises the question of what health care organizations are currently doing to protect their information systems, especially when we have potential exposure of electronic Patient Health Information (ePHI) on patient monitoring systems, in remote sites for telemedicine and in medical devices (Internet-of-Things) connected to IT infrastructure.
As we now face the consequences of yesteryear’s mess, it’s impossible not to wonder what comes next. Health care IT managers can’t change the past nor predict the future, but they may be able to inoculate themselves against future HIPAA breaches, and improve overall security posture.
Continuous network visibility is key
Under HIPAA, health care organizations must implement certain technical and administrate safeguards. Some of these are required, while others are “addressable” – which is not at all synonymous for “optional.” It merely means more than one approach can be taken to meet that standard. These safeguards include, but aren’t limited to, the following:
- Access control: A unique username and password must be assigned to each user; organizations must establish procedures that govern the access of ePHI as needed.
- Authentication: Controls must be implemented to verify that health information has not been altered or destroyed (and ideally, that tampering can be detected the moment it occurs).
- Activity audit controls: Attempts to access ePHI must be recorded, and subsequent interactions with that data must be detailed.
- Risk assessments: Areas where ePHI is in use and potential ways in which it can be breached must be identified in a formal risk assessment.
- Risk management policy: Said risk assessments are to be carried out regularly in order to track controls in place and mitigate risks.
- Reporting security incidents: A framework to report security incidents that have not resulted in a breach must exist; all employees should know exactly how to respond to an incident, and should be trained in how to spot malicious software.
- Procedures for mobile devices: Health care organizations must be able to clear ePHI from lost or stolen devices (for instance, through the use of mobile device management tools).
The pervasive theme is the need for complete visibility into how ePHI is treated, where the risks lie and what actions are being taken to mitigate those risks. This requires a level of transparency into the activity taking place throughout the network, and the ability to automatically flag indicators of a compliance breach that could jeopardize the integrity of ePHI.
Maintaining compliance with limited resources
Creating comprehensive risk assessments and then simultaneously tracking all of them to verify that security controls are working properly can’t be completed with spreadsheets and elbow grease. Every day, security analysts may receive thousands of security alerts, and the vast majority will be false positives. Some of them, however, will be indicative of HIPAA compliance breaches or vulnerabilities that put ePHI at risk.
“The legitimate security incidents that involve HIPAA breaches are often missed, and this is a major problem.“
The security incidents that do require immediate attention are often missed, since they’re still very difficult to detect and respond to immediately before damage is done. For example, as recently as late 2015, 90 percent of health care institutions were using messaging apps that were not in compliance with HIPAA. With the right network rules in place, this is the type of infraction that could easily be caught. Maybe that data traffic is not properly encrypted, or certain apps are used on personal devices that are beyond the reach of a mobile application management solution. In either scenario, being able to sift out noncompliant behavior from a din of false alarms would prove invaluable to maintaining HIPAA compliance.
Granted, that’s easier said than done, given the exorbitant cost of managing a security operation center (SOC). But when critical information systems, millions of dollars in fines and a facility’s reputation are at stake, taking shortcuts isn’t an option. That’s not to suggest health care institutions can’t have all the benefits of a SOC at a lower cost, though. There are other options out there. To read all about them, click here.