We all want simplicity, but there’s no getting around the fact that compliance with the Health Insurance Portability and Accountability Act of 1996 is complicated. However, you can use a couple of checklists along with penetration testing of your system to verify that you have hit all the bases.
- Infrastructure Checklist: Verifying Hosting Service Compliance
- Policies & Procedures Checklist: Verifying In-House Compliance
- Penetration Testing: Verifying Actual System Security
- Simplification via HIPAA Compliant Hosting
Infrastructure Checklist: Verifying Hosting Service Compliance
Whether you are a covered entity or a business associate, HIPAA compliance is extraordinarily important. No one wants their patients to feel that their records are unsafe and could fall into the hands of state-sponsored Chinese hackers (believed responsible for both Anthem and Community Health Systems) or others. Also, no one wants the huge HHS fines associated with violations.
One major aspect of compliance and really the first thing that everyone turns toward when they look at the law is IT systems. Here is a basic checklist for infrastructure and core technologies:
- Firewalls – hardware firewalls, software firewalls, and web application firewalls.
- Two-factor authentication – Set up 2FA on all aspects of your site. Basically everything that requires username and password should also necessitate a second factor, typically a numerical code sent to a mobile device.
- Off-site backup – Make sure that all ePHI is backed up at a distant geographical location.
- SSL certificates – This technology should be site-wide, bare-minimum covering all domains and subdomains through which you can access protected information.
- SSL VPN – This type of virtual private network (the standard alternative to an IPsec VPN) uses SSL certificates to facilitate a secure client-server connection through the browser.
- Encrypted VPN – You want the VPN to be encrypted, especially considering whistleblower Edward Snowden’s revelation that the National Security Agency’s XKeyscore system can penetrate VPNs. Attackers could have similar tools.
- Private hosted environment – No resources can be shared.
- SSAE 16 auditing (optional) – If your hosting system meets this standard, it is going above and beyond the security expectations of HIPAA to also meet the security parameters of the American Institute of Certified Public Accountants (AICPA).
- Business associate agreement (BAA) – All outside organizations with which you partner must be in a contractual relationship with you, as outlined in a BAA.
Additional resources related to the above:
AICPA – SSAE 16 guidelines
HHS – Security Rule guidelines
Policies & Procedures Checklist: Verifying In-House Compliance
Not everything is technological, so it’s not just about entrusting a hosting company to build your system appropriately. You also need to make sure that you are operationally sound with appropriate policies and procedures:
- Appoint a security and privacy officer
- Conduct regular risk assessments
- Create an email policy that either encrypts all messages containing health data (preferred) or informs patients that emailing the data is risky.
- Create a policy for mobile devices and laptops. Note that unencrypted laptops represent the most common HIPAA violation, while the theft of an encrypted laptop is not even considered a data breach.
- Conduct regular staff training.
- Create a privacy notice to post to your site and hand out to all patients.
- As established above, confirm that you have business associate agreements signed with all companies that come into contact with your health data.
- Develop a breach documentation and notification policy.
- Set up regular enforcement reviews to guarantee that all privacy and security policies are followed.
Penetration Testing: Verifying Actual System Security
Atlanta security analyst and author Mike Rothman recommends penetration testing over vulnerability scanning to ensure compliance.
What is penetration testing or pen testing? “I also call it ‘security assurance,’” explained Rothman, “and define it as anything and everything that tests where and how corporate networks, systems and applications can be compromised, as opposed to flagging theoretical vulnerabilities.”
You can basically think of professionals who make a living in the penetration testing field as white-hat hackers. They utilize the same software and methods, but they typically become much more diverse and granular in their attacks than does a run-of-the-mill attacker who is looking for an easy target.
Third-party penetration testing is actually required by various laws and standards such as HIPAA, SOX, and PCI-DSS. However, pen testers recommend that their services be performed much more regularly – which seems completely valid given the trend of hackers staying within systems for months (Sony, Anthem, US State Department, etc.).
Rather than simply listing what is vulnerable as a vulnerability scanner does, a penetration test informs you what could be compromised. It goes beyond the technology to also look at the human element, a typical target for criminal exploit.
Plus, vulnerability scanners sometimes turn up false leads. “There are lots of reasons why a vulnerable machine may not be exploitable,” said Rothman. “A scanner will tell security professionals it’s a problem. A pen test will assure them that it isn’t, and that provides a lot of value.”
Simplification via HIPAA Compliant Hosting
Although you want to make sure that all your compliance bases are covered, that doesn’t mean that you want to maintain and monitor the entire infrastructure in-house. Certainly you have other, more mission-specific things to do, and it’s much safer to trust the credibility of a provider staffed with security professionals who maintain and offer HIPAA Compliant Hosting 24/7/365.
By Moazzam Adnan