Network security breaches wreak havoc on healthcare organizations. One hole in a hospital’s cyber security can leave private patient data wide open for those with malicious intent to take and use to their advantage; Electronic Health Records (EHRs) can be encrypted and made useless by hackers demanding a ransom in exchange for their encryption key; and sensitive data can be sold to ill-intentioned entities all over the world.
For a healthcare business to remain compliant with the guidelines and requirements set forth by the Health Insurance Portability and Accountability Act (HIPAA), it must safeguard its patients’ and clients’ personal information. In a world of computers and networks, sensitive patient data must be protected against the unwelcome eyes of hackers, identity thieves, spammers, and other malefactors of that ilk.
Because of this growing threat, healthcare organizations everywhere are stepping up their cyber security game by increasing their IT budget and hiring professionals trained with a bachelor’s degree in cyber security. These newly hired security specialists will be responsible for keeping vast amounts of patient information safe and accessible only to authorized staff members and affiliates.
Compliance Is Not Enough
While EHRs contain sensitive patient information out of necessity (doctors can hardly be expected to follow a patient’s progress without a record of treatment), healthcare data now stretches far beyond EHRs into the realm of Big Data analytics. This shared data requires strict compliance with HIPAA’s Privacy Rule, which states that identifying information must be either removed from shared data or de-identified (made anonymous or encrypted).
The Arnall Golden Gregory law firm, in its 2016 blog post, “Big Data Analytics Under HIPAA,” details what it referred to as the “safe harbor” method of de-identification. Identifiers that fall within the “safe harbor” definition include names, addresses, Social Security numbers, and any other information that could be used to identify a specific person or a group of individuals.
But because of heavy penalties incurred by HIPAA violations, many healthcare providers expend a majority of their resources on simply meeting HIPAA’s Privacy Rule while neglecting to execute further cyber security measures.
Data might be de-identified, but this doesn’t help when EHRs can still be accessed through stolen login credentials, unauthorized logins, phishing, and misplaced devices. Once patient records are accessed, they can be cross-referenced with de-identified data to re-identify anonymous information.
“There is clearly a need for organizations to employ automated systems that continually monitor the organization’s network, establish a baseline pattern for each individual user, pick up on any deviations from that user’s pattern, and then require additional authentication before allowing the aberrant action to proceed while simultaneously reporting it the IT security team,” explains cyber surveillance expert Amit KulKarni in “Why HIPAA Compliance Does Not Equal Data Security” on the Health IT Outcomes website.
A Holistic Approach To Healthcare Security
In addition to the HIPAA Privacy Rule, a separate Security Rule is also in place that attempts to cover the safeguarding of patient data through a variety of approaches. HIPAAacademy.net covers these approaches on its “HIPAA Security Rule Standards” page.
Administrative safeguards approach privacy and cyber security from a management perspective:
- Security management process – risk analysis, risk management, information system activity review.
- Workforce security – authorization and/or supervision, workforce clearance procedures, termination procedures.
- Information access management – access authorization, access establishment and modification.
- Security awareness and training – security reminders, protection from malicious software, login monitoring, password management.
- Contingency plans – data backup, disaster recovery, and emergency mode operation plans.
Physical safeguard standards are put in place to enable cyber security and privacy measures to operate efficiently, under lock and key:
- Facility access controls – limitations on physical access, validation procedures, maintenance records.
- Workstation use and workstation security – restricting access to workstations, physical barriers, keycard access to workstations.
- Device and media controls – disposal, media re-use, accountability, data backup and storage.
Technical safeguards are enabled to ensure that information is only accessed by authorized personnel and is only transmitted over networks in a secure way:
- Access control – unique user identification, emergency access procedures, automatic logoff, encryption and decryption.
- Audit controls – hardware, software, and procedural mechanisms for recording and examining activities.
- Integrity controls – mechanisms designed to authenticate electronic personal health information (e-PHI).
- Transmission security – integrity controls, encryption, safeguards against unauthorized access of e-PHI during transmission.
Outside of HIPAA, the National Institute of Standards and Technology (NIST) publishes a helpful guide titled “Framework For Improving Critical Infrastructure Cybersecurity.”
NIST’s Framework “focuses on using business drivers to guide cybersecurity activities, and considering cybersecurity risks as part of the organization’s risk management process. The Framework consists of three parts: the Framework Core, the Framework Profile, and the Framework Implementation Tiers.”
Essentially, NIST’s Framework Core is a set of cyber security information common to most organizations with a critical infrastructure. The information is then used to develop individual organizational Framework Profiles. Finally, the Framework Implementation Tiers help the organization view and understand how it aligns its cyber security activities with its needs, tolerances, and resources.
Both HIPAA’s Security Rule and NIST’s Framework can greatly reduce a healthcare organization or provider’s cyber security risks. The more budget and resources are diverted to IT security personnel, the better the organization will fare when cyber threats inevitably come along. But these threats are increasing, not decreasing.
The rising popularity and functionality of Internet of Things (IoT) devices is great for keeping track of patients’ health, heart rates, vital stats, exercise levels, and sleep quality, but because these devices collect sensitive data and share it across multiple networks, they pose yet another risk to cyber security.
“It is not only the information collected by these devices this is a cause for concern,” according to “New Report Published On Privacy Risks Of Personal Health Wearable Devices” on HIPAAjournal.com. “Data collected by the devices can, in turn, be combined with personal information from other sources – including healthcare providers and drug companies – raising such potential harms as discriminatory profiling, manipulative marketing, and security breaches.”
Technological advancements are changing the landscape of our entire society, and since most of these technologies are “smart” technologies, capable of connecting with everything else, cyber security is instrumental to maintaining privacy and security in a world full of shared connections.
Maryville University – Online Degree in Cyber Security
Maryville University’s online cyber security degree offers advanced training in cyber security, mobile security, digital forensics, and malware analysis. All skills are learned and practiced in Maryville University’s virtual training lab. Upon graduation, students may qualify for high-paying positions such as networking consultant, information security manager, security analyst, or network architect in some of the world’s largest tech companies. Contact Maryville University for more information.
Big Data Analytics Under HIPAA – http://www.agg.com/Big-Data-Analytics-Under-HIPAA-03-17-2016/
Why HIPAA Compliance Does Not Equal Data Security – https://www.healthitoutcomes.com/doc/why-hipaa-compliance-does-not-equal-data-security-0001
HIPAA Security Rule Standards – http://www.hipaaacademy.net/managed-compliance/hipaa-consultant-staffing/hipaa-security-rule/
Framework For Improving Critical Infrastructure Cybersecurity – https://www.nist.gov/sites/default/files/documents/cyberframework/cybersecurity-framework-021214.pdf
New Report Published On Privacy Risks Of Personal Health Wearable Devices – http://www.hipaajournal.com/new-report-published-privacy-risks-personal-health-wearable-devices-8626/