Given the high black-market value of medical records and the various plans of attack open to hackers, it is not surprising that the healthcare sector is subject to stringent security regulations. These data and cybersecurity rules follow best practices to make healthcare data more secure. However, some organizations face problems when it comes to implementation and oversight of HIPAA compliance requirements.
The Health Insurance Portability and Accountability Act
Established in 1996, the Health Insurance Portability and Accountability Act (HIPAA) set rules related to health care and health insurance issues in the United States. Both the Privacy and Security Rules mandate compliance requirements for protected health information (PHI) data at-rest and in-motion. These requirements include establishing specific privacy and security provisions that all organizations storing electronic protected health information (ePHI) must follow. These arespecifically contained in the three safeguards categories in the Security Rule.
The HIPAA Security Rule provides national standards to protect individuals’ ePHI. This refers to data that is created, received, used, or maintained by a covered entity. It requires appropriate administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and security of ePHI.
All of this establishes basic security provisions, including:
- Protecting stored data and encrypting data traveling outside of the internal system through advanced encryption and secure communications.
- Establishing control authentication mechanisms for accessing ePHI, as well as logging who accesses it.
- Maintaining records of configuration settings, as well as regular control requirements audits.
- Risk analysis and risk management provisions, including remediation for security gaps.
Obtaining HIPAA Compliance
From the outside, compliance may appear easy and straight-forward. After all, HIPAA is a written set of codes that largely follow data security best practices. Yet, compliance is far from the norm. In fact, in its breach investigations, HIPAA’s enforcement arm (the Office of Civil Rights) found that 70% of organizations were not compliant. Failure to comply has three effects. First, non-compliance is illegal and can result in hefty fines from the federal and state governments. Second, HIPAA is in line with best practices and failure to follow best practices leaves vulnerabilities that can allow for breaches. Third, patients can sue medical providers/facilities if they lose PHI, causing financial and brand trust damage. In light of this, it is costly in monetary and reputational terms to fail to comply with HIPAA. What problems make HIPAA compliance difficult?
Difficulties in Achieving HIPAA Compliance
In a 2016 survey, respondents indicated that technical safeguards were the most difficult and time-consuming part of preparing for HIPAA audits. They also listed external threats to data security as the most difficult part of remaining HIPAA compliant, with employee training and evolving technology not far behind. While employee training involves intangible factors that might seem beyond an organization’s control, external threats and evolving technology largely relate to technical safeguards. Because HIPAA lays them out, technical safeguards should be straightforward. But several features make compliance particularly difficult to implement.
Technical safeguards constitute approximately 40% of HIPAA’s security compliance regulations. While this isn’t a disproportionate percentage of the rules, technical safeguards take up a disproportionate amount of the assessment and implementation time at approximately 80%. This makes complying with the technical safeguards more time-consuming and more costly.
Healthcare System Complexity
Next, there is the complexity of healthcare systems. Technical safeguards include configurations and settings throughout the healthcare organization and its security system. The problem lies with the attack surface exposure levels of the IT infrastructure. It can include hundreds of entry nodes within a single hospital, as well as span across multiple hospitals in a regional network. This also includes third-party vendors who require access to ePHI and on-premise, cloud, and hybrid environments. Each node or server in this intricate network requires appropriate configurations to ensure data integrity. But with so many people having access to the nodes and servers, it opens the problem of human errors and misconfigurations that, with time, can expose the organization to data breaches.
While the surface level presents problems, managing it becomes even more difficult with the changing technologies that expand and transform the system. Since HIPAA’s creation in 1996, we’ve seen the proliferation of Internet of Things (IoT) devices that expand healthcare systems, with new devices constantly requiring access to them. We’ve also seen the emergence of the cloud and new possibilities for organizing system infrastructure through it, including through hybrid solutions. While all these technologies present exciting opportunities for healthcare systems, they also present new risks that need to be managed within the framework of HIPAA and its technical safeguards.
A further problem for compliance lies in changes to HIPAA. Because of technological changes, evolution in hacking methods, and other factors, HIPAA is an ever-evolving compliance framework. This includes changes to the technical safeguard parameters. While healthcare organizations have had trouble staying compliant in the first place, changes to compliance regulations make this task even more difficult.
Hackers and HIPAA Compliance: Are There Any Solutions?
As the risk from hackers increases with the black-market value of medical records, healthcare organizations are under increased pressure to adequately maintain data security and regulatory compliance. But are there effective and efficient solutions to combat these problems? Next time, we’ll turn to how Spanugo can help you maintain data security and regulatory compliance with our Automated Security Assurance Platform (ASAP).