Inside the healthcare industry is an abundance of sensitive and valuable data. This has created a massive attack surface. HIPAA (Health Insurance Portability and Accountability Act) was created to minimize the attack surface and create a national standard for security and privacy of healthcare-related data.
Just how many healthcare-related data records have been breached? According to the HIPAA Journal, approximately 54.25% of the U.S. population has been subjected to a data breach between 2009 and 2017. HIPAA Journal states that the above percentage equates out to 176,709,305 records stolen.
The threat landscape outlook by SANS provides an overview of current threats and trends. End users are the key to preventing a breach by detection, awareness and safe practice yet also the biggest threat an organization has.
The threat landscape is also riddled with an evolution of attacks capable of skirting current traditional lines of defense to reach their target. The attacks in this category are credential compromises, process exploits, and scripting attacks.
Out of the 32% of organizations that experienced a ‘malware-less attack,’ 11% reported it to be very serious. These malware-less attacks rely on end-user detection to be thwarted. The new threat trends are expanding the landscape and organizations are employing automated, machine-learned monitoring software.
It is the responsibility of every covered entity (healthcare plan providers, clearinghouses, and providers) that interacts with electronic personal health information (EPHI) to remain in a compliant state with HIPAA’s regulation. Entities are falling short of maintaining a secure state for data to be used and housed; which is equating to issues maintaining HIPAA compliance.
Under HIPAA regulation, the covered healthcare entities must adhere to two rules. The HIPAA Privacy Rule details standards for the protection of all health information. The HIPAA Security Rule establishes security standards for EPHI that are created, received, used and/or maintained by any covered entity.
The shift in the healthcare industry towards convenient, accessible and electronic EPHI has increased. Therefore, the industry entities need to re-access current data strategies and how they are approaching HIPAA. This has the healthcare industry seeking out new cybersecurity mitigation tactics to be compliant.
How to Achieve HIPAA Compliance
Unfortunately, it is not as simple as aligning your organization with your cybersecurity needs and HIPAA mandated guidelines.
HIPAA compliance cannot be a task delegated to just your IT team. All sectors of a covered entity must take on a proactive and preventive mindset in regards to HIPAA.
Luckily, advancements in machine learning and analytical technology have lead us to be able to proactively prevent data breaches, while maintaining HIPAA compliance.
The solution here is reachable by a comprehensive software called employee monitoring software. Employee monitoring software may sound unrelated to HIPAA compliance, but it’s actually can be one of it’s more fundamental parts in compliance strategy. Employee monitoring software is a technical approach to security that fuses machine learned user analytics and security mitigation tools providing your organization with a strategy to achieve HIPAA compliance.
Advantages to Using Employee Monitoring Software
Employee monitoring software has many features that open the gateway to an organization becoming and maintaining HIPAA compliance. These key features and their tools are what will guide your healthcare organization to full compliance.
- Live view and history playback: Live view records every action a user makes while operating a device. Administrators can address any security issues in real-time, which is key to stopping a breach or creating a vulnerability.
- Website and email monitoring: This feature visually and textually records and logs all actions made on websites and within email accounts. Also, there is a tool known as history playback that permits administration to replay any actions that were previously made and recorded.
An employee has bypassed detection by using a peer’s credentials that were left on a shared device. Your organization is running activity monitoring so the administrator will be alerted to the activity. The user being active in a new location, device or in two places at once would be recorded and reported. Also, any changes in the machine learned user specific user behavior would be reported. These changes and alerts will compose a forensic report of the incident in the case of a HIPAA audit.
Logging and File Tracking Activity
- Keystroke logging: User keystrokes are noted and logged.
- File transfer tracking: Any data files, such as electronic health records (EHR), are transferred are tracked. Administration can then have full transparency of data in motion or at rest.
- Printed document tracking: Any sensitive data like PHI that is printed will be tracked and recorded. Administrators can gain an understanding of the exact document printed, by whom, when and where at.
An employee has transferred three files of EPHI to their personal email. With a small number of files transferred and in a busy company this can be missed. Luckily, logging and file tracking activity will control what actions are permissible with specific data or pinpoint where the data went and which user is responsible. In regards to HIPAA, these features satisfy the HIPAA Security Rule.
Privileged User Access Controls
- Website and application monitoring: All activity carried out by a privileged user (on web pages and applications pertaining to any sensitive data) is monitored and able to be reviewed.
- Automated behavior rules: Based on machine learned behaviors, administration can receive alerts based on predefined, configured rules relating to any selected behavior. Within these rules, admin can log out, redirect or lock a user out. These rules are custom and based on the severity of the action.
A privileged user carries out specific actions daily, these behavioral trends are recorded and machine-learned. If your employee attempts to steal data, the actions or behavioral trends will shift and notify the administrator; stopping a breach and maintaining your HIPAA compliance.
Audit Trail and IT Compliance
- IT forensics: Travel back to view metadata, actions, and keystrokes for any given employee session.
- Anomaly detection: User behavior analytics constructed through machine learning allows anomalies in behavior to be recorded.
- Intelligent session mining: This feature enables administration to locate the origin of where a sensitive file was accessed and viewed
Your organization is being audited. The software features create your risk analysis, end-to-end documentation, logs and training purposes to build a security backbone necessary to pass a HIPAA audit.
What’s the takeaway?
The healthcare industry is lacking in security measures, even experiencing double the amount of cyber attacks as other industries. HIPAA will remain a national standard for health-related privacy and security that covered entities must abide by or face a range of penalties varying upon the offense. Organizations within the healthcare industry need to adopt a proactive and secure mindset. Traditional cybersecurity tools are no longer effective since they fail to monitor and address an organization’s biggest threat which is the employees.
Deploying employee monitoring software allows for security to start from the inside an entity. The ability to monitor, track and log actions and data as well as maintain an audit trail provide an organization with the transparency and cyber hygiene necessary to achieve and maintain HIPAA compliance.
ISAAC KOHEN is the founder and CEO of Teramind, an employee monitoring and insider threat prevention platform that detects, records, and prevents malicious user behavior.