Network security breaches wreak havoc on healthcare organizations. One hole in a hospital’s cybersecurity network can expose sensitive patient data for those with malicious intent to take and use to their advantage. Electronic health records (EHRs) can be encrypted and made useless by hackers who often demand a ransom in exchange for their encryption key. And sensitive data can be sold all over the world.
For a healthcare business to remain compliant with the guidelines and requirements set forth by the Health Insurance Portability and Accountability Act (HIPAA), it must safeguard its patients’ and clients’ personal information. An integral policy of the U.S. Department of Health and Human Services (HHS), HIPAA is a federal law that protects sensitive health information from being disclosed without the patient’s consent or knowledge.
In a world of computers and networks, sensitive patient data must be protected against the unwelcome eyes of hackers, identity thieves, spammers, and others.
Because of this growing threat, healthcare organizations everywhere are stepping up their cybersecurity game by increasing their IT budgets and hiring professionals with at least a bachelor’s degree in cybersecurity. These security specialists are responsible for keeping vast amounts of patient information safe and accessible only to authorized staff members and affiliates.
Compliance is not enough
While EHRs contain sensitive patient information out of necessity, healthcare data now stretches far beyond EHRs into the realm of big data analytics. This shared data requires strict compliance with HIPAA’s Privacy Rule, which states that identifying information must be either removed from shared data or de-identified (made anonymous or encrypted).
On its website, HHS offers guidance on how to approach de-identification. But because of heavy penalties incurred by HIPAA violations, many healthcare providers expend much of their resources on simply meeting HIPAA’s Privacy Rule while neglecting to execute further cybersecurity measures.
Data might be de-identified, but this doesn’t help when EHRs can still be accessed through stolen login credentials, unauthorized logins, phishing, and misplaced devices. Once patient records are accessed, they can be cross-referenced with de-identified data to re-identify anonymous information.
“There is clearly a need for organizations to employ automated systems that continually monitor the organization’s network, establish a baseline pattern for each individual user, pick up on any deviations from that user’s pattern, and then require additional authentication before allowing the aberrant action to proceed while simultaneously reporting it the IT security team,” explains cyber surveillance expert Amit Kulkarni in “Why HIPAA Compliance Does Not Equal Data Security.”
A holistic approach to healthcare security
In addition to the HIPAA Privacy Rule, a separate Security Rule is also in place that attempts to safeguard patient data through a variety of approaches. HIPAAacademy.net covers these approaches on its “HIPAA Security Rule Standards” page.
Administrative safeguards approach privacy and cybersecurity issues from a management perspective:
- Security management process involves risk analysis, risk management, and information system activity review.
- Workforce security deals with authorization and/or supervision, workforce clearance procedures, and termination procedures.
- Information access management involves access authorization, access establishment, and modification.
- Security awareness and training has to do with security reminders, protection from malicious software, login monitoring, and password management.
- Contingency plans deal with data backup, disaster recovery, and emergency mode operation plans.
Physical safeguard standards are put in place to enable cybersecurity and privacy measures to operate efficiently, under lock and key. Here are some examples:
- Facility access controls focus on limitations on physical access, validation procedures, and maintenance records.
- Workstation use and security involves restricting access to workstations, physical barriers, and keycard access.
- Device and media controls deal with disposal, media re-use, accountability, data backup, and storage.
Technical safeguards are enabled to ensure that information is only accessed by authorized personnel and only transmitted over networks securely:
- Access control ensures unique user identification, emergency access procedures, automatic logoff, and encryption and decryption.
- Audit controls focus on hardware, software, and procedural mechanisms for recording and examining activities.
- Integrity controls deal with mechanisms designed to authenticate electronic personal health information (e-PHI).
- Transmission security regulates integrity controls, encryption, and safeguards against unauthorized access of e-PHI during transmission.
Outside of HIPAA, the National Institute of Standards and Technology (NIST) publishes a helpful guide titled “Framework for Improving Critical Infrastructure Cybersecurity.”
NIST’s framework “focuses on using business drivers to guide cybersecurity activities, and considering cybersecurity risks as part of the organization’s risk management process. The framework consists of three parts: the Framework Core, the Framework Profile, and the Framework Implementation Tiers.”
Essentially, NIST’s Framework Core is a set of cybersecurity guidelines that are common to most organizations with a critical infrastructure. The information is used to develop individual organizational Framework Profiles. Ultimately, the Framework Implementation Tiers help the organization view and understand how it aligns its cybersecurity activities with its needs, tolerances, and resources.
Both HIPAA’s Security Rule and NIST’s Framework can greatly reduce a healthcare organization or provider’s cybersecurity risks. The more budget and resources are diverted to IT security personnel, the better the organization is likely to fare when cyber threats inevitably come along. But these threats are increasing, not decreasing.
With the rise of technology and global issues like the COVID-19 pandemic, more patients are turning to telehealth to receive treatment from a safe distance. With communication technology at the forefront of telehealth — and vulnerable to intercept, negligence, or misuse — the HHS and Office for Civil Rights (OCR) has implemented a series of guidance standards on telehealth remote communications. These guidelines exercise discretion in enforcement to “not impose penalties for HIPAA violations against healthcare providers in connection with their good faith provision of telehealth using communication technologies during the COVID-19 nationwide public health emergency.”
Another aspect to consider is the rising popularity and functionality of Internet of Things (IoT) devices. These devices are great for keeping track of patients’ health, heart rates, vital stats, exercise levels, and sleep quality, but because they collect sensitive data and share it across multiple networks, they can pose yet another risk to cybersecurity.
“It is not only the information collected by these devices this is a cause for concern,” according to HIPAAjournal.com. “Data collected by the devices can, in turn, be combined with personal information from other sources — including healthcare providers and drug companies — raising such potential harms as discriminatory profiling, manipulative marketing, and security breaches.”
Technological advancements are changing the landscape of our entire society, and since most of these are “smart” technologies capable of connecting with everything else, cybersecurity is instrumental to maintaining privacy and security in a world full of shared connections.
Become part of the solution with your online degree in cybersecurity from Maryville University
Maryville University’s online cybersecurity degree programs offer advanced training in cybersecurity, mobile security, digital forensics, and malware analysis. All skills are learned and practiced in Maryville University’s virtual training lab. Upon graduation, students may qualify for high-paying positions such as networking consultant, information security manager, security analyst, or network architect in some of the world’s largest tech companies.
Contact Maryville University for more information.
Arnall Golden Gregory LLP, “Big Data Analytics Under HIPAA”
Health IT Outcomes, “Why HIPAA Compliance Does Not Equal Data Security”
HIPAA academy, “HIPAA Security Rule Standards”
National Institute of Standards and Technology, “Framework For Improving Critical Infrastructure Cybersecurity”
HIPAA Journal, “New Report Published on Privacy Risks of Personal Health Wearable Devices”
U.S. Department of Health & Human Services, “OCR Issues Guidance on Telehealth Remote Communications Following Its Notification of Enforcement Discretion”