Cybersecurity and HIPAA Compliance Go Hand in Hand: Here’s Why
HIPAA compliance (adherence with the Health Insurance Portability and Accountability Act of 1996) entails meeting a broad set of guidelines, including ones related to being able to transfer healthcare coverage – portability – and to protect healthcare records – accountability. The accountability aspect is central to broader compliance efforts since it is related to all health data (while portability is specifically applicable to insurance). Accountability is integrally related to cybersecurity since confidential data is at risk in certain ways when it is stored or moving in electronic form.
Cybersecurity is covered by the Security Rule, which falls under HIPAA’s Title II. The Security Rule stipulates that covered entities need to establish and maintain protections for electronic protected health information (ePHI) that appropriately and reasonably defend the organization against breach through physical, administrative, and technical means. The rule mandates that HIPAA-compliant organizations:
- Be certain that all the health data they send, store, receive, or produce has strong availability, integrity, and confidentiality. (Availability indicates that authorized individuals can access and use their information whenever they want. Integrity means that only authorized means should be used for destruction or changing of health data. Confidentiality denotes that it is only made available to and is only disclosed to authorized people.)
- Detect and safeguard against any threats to the data’s integrity or security that can be reasonably foreseen.
- Defend against any disclosure or use that is disallowed by HIPAA and can be reasonably foreseen.
- Verify that the workforce is compliant with healthcare law.
How the size of an organization impacts compliance
While flexibility may not be the first characteristic that comes to mind when you consider federal compliance, HHS does actually have flexible expectations to the extent that it recognizes the diversity of organizations within the healthcare industry. Since that’s the case, the way that organizations meet the Security Rule will differ – according to the HHS: “What is appropriate for a particular covered entity will depend on the nature of the covered entity’s business, as well as the covered entity’s size and resources.”
Since those factors are considered, when you are determining technologies or approaches to meet the Security Rule, you will not be told exactly what is necessary. The HHS does not get that granular, instead mandating that organizations look at:
- the chances that risks will lead to breaches and how that would influence the business;
- the amount you would need to spend on security implementations;
- your software, hardware, and technical infrastructure; and
- your capabilities, size, and level of complexity.
Additionally, HIPAA compliance mandates that organizations reassess and adjust the steps they take toward health data protection as the threat landscape evolves.
Technical, physical, and administrative safeguards
The protections of HIPAA are organized within these three categories. Dividing into these categories is a reminder that security goes beyond the technical measures to administrative processes and the physical environment.
While security is broader than technical measures, they certainly form a major underpinning of your security and compliance efforts. Per the HHS, consider the following within this category:
- Transmission security – Technical security steps must be taken by a HIPAA-compliant entity to protect health data that is moving through a digital network.
- Audit controls – Process steps, as well as software and hardware, must be implemented in order to provide logging, as well as to analyze access and other user behavior related to health information systems.
- Access controls – There must be procedures and policies put in place by covered entities and business associates to limit ePHI access to authorized parties.
- Integrity controls – Steps should be taken within information systems to guard against unlawful destruction or modification of health data. Destroying and changing ePHI should also be avoided through policies and procedures.
Beyond the data systems themselves and those technical precautions, you also need to think about your physical space, through these considerations:
- Device and workstation security – You need to establish policy and procedural steps that define how electronic media and workstations can be accessed and used. HIPAA compliance also dictates that covered entities and business associates should protect health data through policy and procedural measures to control the way electronic media is thrown out, removed, transferred, or reused.
- Facility control and access – You must make sure that you allow building access to authorized parties while also restricting entry.
Physical controls should not be overlooked. The HHS highlighted physical security in a May 2018 newsletter, providing questions organizations could ask themselves to identify and mitigate risk.
Along with the steps that be taken technically within data systems and that can be taken physically to protect machines, you also need steps to improve the way you manage it – through administrative controls:
- Workforce management and training – It is necessary to authorize and supervise all members of your workforce who are handling health information. The security procedures and policies that you adopt should be conveyed through training to your staff. When someone does not follow your documented policies and procedures, the HHS mandates that you issue sanctions.
- Security official – You should have a security officer appointed, a person who is accountable for crafting and releasing security policy and procedure updates.
- Information access management – Aligned with the “minimum necessary” rule from the Privacy Rule (which disallows disclosure or use beyond the smallest amount of data possible to include), the Security Rule mandates role-based access, building a requirement into policies and procedures that authorization access must match the role of the user.
- Security management – HIPAA compliance requires organizations to detect and study possible health data risks. Covered entities and business associates have to install security methods that reasonably and appropriately mitigate risks that are discovered.
- Risk assessment – Healthcare organizations and business associates that handle ePHI on their behalf must determine the extent to which they are meeting the Security Rule’s mandate for appropriate policies and procedures through a routine risk assessment.
Comprehensive risk assessment should occur repeatedly to continue to understand the current environment and how you are changing. The nature of your organization will determine how often you need to conduct an assessment. “Some covered entities may perform these processes annually or as needed (e.g., bi-annual or every 3 years) depending on circumstances of their environment,” noted the HHS. That same timeframe can work for business associates as well.
Strong cybersecurity with HIPAA business associates
HIPAA compliant organizations should be deeply concerned with cybersecurity. Given that concern, they often tap the expertise of third parties. These relationships should be grounded in a risk assessment conducted by both parties at the outset – with its results guiding the business associate agreement. By choosing business associates that go beyond HIPAA certification to holding an SSAE 18 data center audit from the American Institute of Certified Public Accountants, you get the additional assurance that there are industry-standard controls protecting your ePHI at all levels.