On June 30, a ransomware attack hit the Fetal Diagnostic Institute of the Pacific (FDIP) in Honolulu, with the provider noting that more than 40,000 patient records were potentially compromised. The attackers accessed the patient data within FDIP systems on the organization’s servers. FDIP contracted with a cybersecurity company for recovery, noted Jessica Davis. They cleared the virus from the infrastructure and put defenses in place to stop the problem from occurring again. The incident points to common concerns regarding cybersecurity and HIPAA compliance.
While no breach is easy, the institute was well-prepared. They had backups stored externally, on a separate network with its own authentication. Because they had the information stored elsewhere as an exact copy, they did not need to pay a ransom to get the same data from the cybercriminals (a tactic that is often unsuccessful anyway).
Cybersecurity is fundamental to HIPAA – and backup is just one aspect of securing your IT environments. Beyond setting up defenses against intrusion, insiders also must be considered.
Why is digital security central to HIPAA?
Core to the Health Insurance Portability and Accountability Act of 1996 (HIPAA) is the Security Rule. Short for the Security Standards for the Protection of Electronic Protected Health Information, this rule is best understood in light of the HIPAA Privacy Rule, which is the short form for the Standards for Privacy of Individually Identifiable Health Information. The Privacy Rule created national standards to make sure that confidential health data is properly protected. Using the Privacy Rule as its basis, the Security Rule specifically discusses the safeguards that must be put into place by organizations handling electronic protected health information (ePHI), which are of three types: administrative (e.g., risk assessments and training), physical (e.g., security cameras and ID checks, perhaps), and technical (e.g., virtual private networks and managed firewalls, perhaps).
Security of healthcare information – not just data – is the focus of HIPAA. For that reason, organizations handling PHI should be concerned with the findings of a Canadian study published in the spring (despite Canada not being governed by HIPAA). The research described an 18-month recycling audit of six teaching hospitals in which 2600 PII papers were found, with 1885 of them containing healthcare PII. These findings are a reminder that hard copies should not be neglected. Nonetheless, digital security is the central concern with HIPAA, especially given the the specific focus of the Security Rule.
Dealing with the insider threat
Your employees unfortunately pose a significant risk. Just take the example of Independence Blue Cross, an independent licensee of BlueCross BlueShield. Many of the agency’s policyholders had critical health data exposed because of an employee error at the Philadelphia-headquartered insurer. A file containing data on nearly 17,000 people – including patient names, dates of birth, provider information, and diagnostic codes – was uploaded by an employee to a public-facing website. It was accessible online from April 23 to July 20, when it was noticed and pulled from the site.
This situation is far from isolated. A poll run in collaboration between the Health Information and Management Systems Society (HIMSS) and identity governance firm SailPoint found that most IT staff members of healthcare entities see insiders as a more significant breach concern than outsiders. Backing up that concern, a study from Verizon found that more than half (58%) of health data breaches occurred because of insiders.
Training to increase healthcare cybersecurity
Employees can cause both large breaches and small ones. They can cause situations that are large in scope, like the incident in Philadelphia. They can also be responsible for more minor infractions, such as a nurse inappropriately mentioning a patient by name or looking at something they do not have a legitimate reason to access. To mitigate this risk, your staff must be trained on the essentials of HIPAA and on cybersecurity best practices.
Here is an outline of a standard HIPAA training curriculum:
Essentials on HIPAA and HIPAA compliance
- Health Insurance Portability and Accountability Act of 1996 definition
- How HIPAA applies in healthcare
- Glossary of HIPAA-related jargon
- Health Information for Economic and Clinical Health Act of 2009 definition
- How HITECH changed and broadened HIPAA regulations
- Prison time
- Protected health information definition
- Types of information that are considered PHI (e.g., social security numbers, dates of birth, and medical history)
Covered entities and compliance responsibilities
- Covered entity definition
- What is expected of covered entities related to personally identifiable health data
- Types of organization that fall under the CE heading (e.g., healthcare data clearinghouses, hospitals, and insurance carriers)
- Business associate definition
- The importance of the business associate agreement
- Types of individuals and organizations that are BAs (e.g., consultancies, accountants, and data recovery companies)
- Privacy Rule description
- Security Rule description
- Breach Notification Rule description
- Insider threats (including human error and malicious insider incidents)
- Cybercriminal attack
- Your password policy
- Multi-factor authentication (MFA) as an additional safeguard
- The issue of legal guardianship
- Possible decision not to disclose data (as with child abuse)
In Conclusion: Think Beyond Hacking
Cybersecurity is critical to maintaining HIPAA compliance – and cybersecurity requires you to look at internal threats as much as you do external ones. Through robust digital security and strong business associate relationships, in conjunction with a comprehensive training program, you can ensure you remain compliant and avoid the fallout of a breach.