HIPAA Cybersecurity Requirements: A Practical Guide

What is HIPAA Compliance?

HIPAA stands for Health Insurance Portability and Accountability Act of 1996. It was created to modernize the flow of medical information and to specify how organizations should protect personal health information (also known as PHI). These rules apply to anyone processing sensitive patient data.

In 2013, HIPAA rules were expanded to include business associates, including those who may process PHI on behalf of healthcare entities, such as software vendors and HIPAA-compliant hosting companies.

HIPAA is designed to protect personally identifiable information (PII) in any form or medium. Many people think this means data such as social security numbers, names, and driver’s licenses, but it is much broader and includes identifying information such as fingerprints, photographs (a face or anything that can identify an individual), and voice prints.

A Brief Overview of HIPAA Requirements

HIPAA has a special focus on protecting and securing sensitive health information. HIPAA compliance requires hospitals and healthcare organizations to follow a number of different rules to protect confidential patient information:

• Privacy – patients have the right to keep their Protected Health Information (PHI) confidential. PHI can contain a variety of information on sensitive topics such as diagnoses, appointments, and procedures.
• Security – organizations must protect PHI from unauthorized use and distribution. A common example is a patient’s insurance information.
• Enforcement – agencies protecting PHI should always implement security protocols and initiate investigations when data breaches occur. The best way to achieve this is to create and adhere to data protection protocols and to keep a complete audit in case an attack occurs.
• Breach notification – in the event of a violation, businesses must notify the appropriate local and national authorities. A data breach report should include who contacted whom and what information was shared.
• Omnibus – the Omnibus Rule added cybersecurity requirements to HIPAA (thanks to the HITECH Act). This rule defines an organization’s legal liabilities with regard to HIPAA.

HIPAA Cybersecurity Requirements

An important part of HIPAA requirements is a set of rules designed to prevent accidental or malicious access to HIPAA-protected health information.

For example, healthcare providers and organizations must develop security policies that define how to conduct risk and vulnerability assessments to find vulnerabilities, create risk coordination plans, and respond to cyber incidents.

HIPAA technical requirements and information security

HIPAA technical requirements aim to ensure the confidentiality, integrity, and availability of protected electronic health information (ePHI). Healthcare providers and organizations must implement the standards necessary to maintain the privacy of HIPAA-protected healthcare information, using reasonable and appropriate healthcare cybersecurity measures. The exact implementation will depend on individual organizations and the cybersecurity personnel they employ.

HIPAA requirements for access control

Strong access control is one of the key safeguards for protecting HIPAA-protected health information. Access control grants rights or privileges to specific users of an information system, application, program, or file to perform task-related functions. The access control method must include:

• Unique user identification using multiple factors, including biometric factors like fingerprint reading or eye scans.
• Documenting emergency access procedures, including emergency ePHI access guidelines and procedures.
• Automatic logout of end-user sessions after a period of inactivity.
• Encrypting data to convert it to an unreadable format.

With these measures, different people in different roles have different levels of access to data. For example, doctors may have access to everything, nurses may have access to a majority of the information, and billing and insurance may have very limited access.

HIPAA Security Rule

The HIPAA Security Rule stipulates that healthcare providers (covered entities) must protect PHI with policies and technical measures that prevent the inappropriate use of this confidential information. This includes the use of HIPAA-compliant firewalls, which secure networks and prevent unauthorized access to your PHI.

Penetration testing is not explicitly required by HIPAA regulations. However, regulations require that entities perform a periodic security risk analysis.

As part of the mandatory HIPAA security rule risk analysis, the organization must assess the risks and vulnerabilities in the environment and implement security controls to address those risks and vulnerabilities. Healthcare organizations must implement a variety of controls, including access controls, audit controls, integrity controls, authentication controls, and data transmission security controls.

A Holistic Approach to Health Cybersecurity

HIPAA rules are not enough to combat cybercrime. Legal requirements are not always consistent with cybersecurity best practices.

Additionally, healthcare organizations should not consider cybersecurity and HIPAA compliance as separate components, but as two concepts working in parallel with each other. In fact, a strong cybersecurity program supports compliance.

To ensure cybersecurity in the healthcare sector and prevent sophisticated attacks, healthcare organizations can implement the following practices:

• Review your current security risk analysis and identify areas and areas for improvement. Support regulatory compliance by documenting risk analysis.
• Evaluate your risk management plan to ensure you have sufficient countermeasures to mitigate vulnerabilities. Adopt best practices used in healthcare such as unique identification, strong passwords, role-based permissions, automatic timeout, and screen lock.
• Compare HIPAA and other cybersecurity standards and procedures, including your organization’s other legal and regulatory obligations, and ensure they are updated with the latest risk analysis findings.
• Develop a security incident response plan that is compliant with HIPAA and other applicable legal requirements, to help your business respond to potential data breaches. Plan for the unexpected – anything from cyberattacks to natural disasters that threaten health records and other critical assets.
• Make a backup and create a recovery plan. Ensure that the media used to store the backup data is secure and cannot be erased or encrypted by attacks such as ransomware.
• Invest in people, processes, and management. Cybersecurity cannot be done by IT or security departments alone. It must be integrated with organizational practices, development plans, and business plans.

We hope this will be useful as you align your cybersecurity strategy with HIPAA compliance requirements.