Keeping HIPAA Compliant Data Secure
In 1996, in an effort to protect privacy for medical patients, President Bill Clinton signed the Health Insurance Portability and Accountability Act (HIPAA) into law. While HIPAA has greatly improved security of patient information, it presents unique challenges for data security experts tasked with storing large amounts of vital data.
HIPAA data compliance is often confused with data security. HIPAA compliance, however, is just the first step in keeping healthcare data secure across multiple networks and in the cloud.
Keeping healthcare data HIPAA compliant ensures that patient information remains private, assuming that the network the data is stored on is secure against unwelcome eyes. But if hackers gain access to an unsecured system, they can read, modify, or even sell private patient information. Hackers can also set up ransomware attacks that can render patient records unusable (even though they are HIPAA compliant) until the facility pays the ransom.
Medical businesses such as hospitals, private practices, and clinics should have someone on staff who understands the need for patient data to be HIPAA compliant and secure at the same time. A manager or administrator with a master’s in health administration can be an invaluable addition to any healthcare office.
De-identification
For a long time, healthcare data was simply retained on a local network for record-keeping purposes. Adding to the complexities of data security, big data can now provide valuable ways to turn all of that stored data into strategic insights that can affect the entire healthcare industry.
However, healthcare has been one of the last major industries to explore the benefits of data analytics, stemming from a fear of HIPAA breaches. To alleviate those concerns, cybersecurity personnel and HIPAA legal experts have introduced the process of de-identifying sensitive patient data.
“Regulations like HIPAA require that data custodians provide for a process to limit the ability to identify a data subject from a clinical dataset,” explains biotech expert Sujay Jadhav in his article, “ ” on LinkedIn.com. “Only when clinical data is de-identified according to this process, it may be disclosed to a third party or presumably used in a big data analytics workflow.”
The de-identification process typically involves removing any information from medical data that could potentially be used to identify the patient. Identifying data can include names, addresses and geographical data, phone numbers, email addresses, Social Security numbers, account numbers, vehicle identification information, biometric identifiers, and anything else that keeps the data from being truly anonymous.
Unfortunately, hackers still occasionally find ways to re-identify patients through a process of elimination by combining two or more sets of data, or simply by breaking into a system where the data has not yet been de-identified. Genetic sequencing information is also required to be de-identified, but a person’s genetic sequence is a unique quality, so complete de-identification is impossible.
“Rapid growth in the volume of health-related information increases the risk of privacy violations, particularly when data sets are combined,” claims the Arnall Golden Gregory LLP law firm in its “Big Data Analytics Under HIPAA” blog post. “Data anonymization tools such as de-identification are useful but cannot eliminate risks to re-identification.”
Exploring HIPAA in the “new normal”
As electronic health records became more commonplace, Congress enacted the Health Information Technology for Economic and Clinical Health (HITECH) Act to help add additional enforcement to HIPAA. Signed into law in February 2009, it promotes the “adoption and meaningful use of health information technology,” according to the HHS website. It mandates audits of healthcare providers to determine whether they are compliant with HIPAA’s privacy and security rules.
Today, technology plays a greater part than ever in how people receive healthcare and experience the healthcare field. Developments like the COVID-19 pandemic and the ubiquity of smartphones have led to a robust telehealth industry, meaning even more patient data is now created during distanced electronic communications.
According the Department of Health and Human Services (HHS), telehealth usage rose by 50% between January and early June of 2020. This increased flow of electronic information includes sensitive data of both a written and verbal nature, which HIPAA is tasked with safeguarding.
Because healthcare records, unlike credit cards, can’t be canceled, changed, or reset in the event of a breach, healthcare providers have increasingly become the target of hackers. This makes it paramount that the integrity of patient files remains protected at all cost.
Securing healthcare data
The primary focus of HIPAA centers on the documentation of medical information, clinical test results, and procedures for keeping sensitive patient information private, both on paper and in spoken conversation. Data security, as an industry, is concerned with keeping all types of data, including HIPAA data, secure from unauthorized access across connected networks.
Several security standards of control are covered by the HIPAA Security Series “Security Standards: Technical Safeguards.” These standards include:
- Access Control: Safeguarding data by restricting user rights and privileges to files, databases, applications, and networks.
- Audit Control: Recording information system activity via hardware or software for purposes of discovering inappropriate or risky activity.
- Integrity Control: Implementing policies and procedures designed to protect electronic protected health information against tampering.
- Person of Entity Authentication: Verifying the identity of a user who is attempting to access protected health information.
- Transmission Security: Ensuring that access to sensitive data transmitted over a network is limited only to authorized access.
“Common technical safeguard options can include, but are not limited to, the following: anti-virus software, multi-factor or two-factor authentication, data encryption, de-identification of data, firewalls, mobile device management (MDM), and remote wipe capability,” says HIPAA authority Elizabeth Snell in her article, “Implementing HIPAA Technical Safeguards For Data Security” on HealthITSecurity.com. “While no healthcare organization can guarantee that a data breach or security incident will never happen, utilizing the necessary safeguards can help prevent them from occurring.”
Perhaps the most important part of a solid cybersecurity policy in a healthcare organization is the training of employees. A security-conscious health administrator will implement ongoing security training for employees to ensure that the IT department’s security measures aren’t compromised by human error.
The basic elements of a good cybersecurity training program for a healthcare organization are covered by medical data security expert Amit Kulkarni’s HealthITOutcomes.com article, “Why HIPAA Compliance Does Not Equal Data Security.” Kulkarni’s suggested training topics include:
- Creating strong passwords and changing them regularly.
- Securing users’ login credentials.
- Keeping login credentials secret, known only by the user.
- Logging into systems or transmitting sensitive data only from secured networks and devices.
- Seeking authorization to remove any type of hardware (laptops, tablets, and the like) from the medical facility.
- Opening files and emails only from known sources (unknown sources can give hackers access).
- Detecting attempts at unauthorized access, such as phishing emails.
These areas are the most frequent methods from which the infrastructure of a healthcare organization can be compromised. The most effective ways to maintain network security are often the simplest to implement. For example, try not to write passwords down; if you do, keep them in a secure location.
You can also avoid using public Wi-Fi when accessing sensitive information and immediately report any lost devices to management or the IT director at your place of employment. It also helps not to open emails from unfamiliar sources. The less often such mistakes take place, the better cybersecurity measures will work. Constant, repetitive training can help to achieve this goal.
Maryville University’s Master of Health Administration
Maryville University’s online Master of Health Administration (MHA) program helps prepare students for careers in healthcare management where they will fall under HIPAA confidentiality laws and privacy rules.
Maryville’s program offers four concentrations — Data Management, Healthcare Strategies, Population Management, and Senior Services — as well as a general MHA track. Contact Maryville University to learn more.
Sources
Arnall Golden Gregory LLP, “Big Data Analytics Under HIPAA”
Department of Health and Human Services, “HIPPA Security Series”
Health IT Outcomes, “Why HIPAA Compliance Does Not Equal Data Security”
Sujay Jadhav, “Is HIPAA a Barrier to Big Data in Biomedical Research?”