What Healthcare Providers Must Know About the New HIPAA Security Rule

Healthcare organizations are facing increasingly sophisticated cybersecurity attacks, which is pushing entities to remain vigilant in keeping protected health in formation (PHI) secure. The HIPAA Security Rule is a national standard that can help organizations maintain current and comprehensive healthcare data security.

Established in 2003, the HIPAA Security Rule was designed “to protect the privacy of individuals’ health information while allowing covered entities to adopt new technologies to improve the quality and efficiency of patient care,” according to HHS.

The Security Rule was also created to be flexible for healthcare organizations, allowing entities to “implement policies, procedures, and technologies that are appropriate for the entity’s particular size, organizational structure, and risks to consumers’ e-PHI.”

Cybersecurity attacks are on the rise, showing that covered entities cannot afford to ignore their ever-evolving data security needs.

Just under half of providers and health plans (47 percent) said they had instances of security-related HIPAA violations or cybersecurity attacks impacting data, according to KPMG’s 2017 Cyber Healthcare & Life Sciences Survey. Thirty-seven percent of respondents in the 2015 survey said the same.

Healthcare organization leaders are also expecting cybersecurity attacks to continue in the near future. Sixty-seven percent of interviewed CISOs said they think their organization will experience a cybersecurity attack in 2018, a 2018 Ponemon & Opus survey found.

CISOs said their top concerns with regard to cybersecurity were a careless employee falling for a phishing scam (65 percent), a significant disruption caused by malware (61 percent), a cyberattack causing significant downtime (59 percent), and a large-scale data breach involving more than 10,000 customer or employee records (53 percent).

In response, organizations are investing in new technologies to help prevent, detect, and mitigate new threats. Seventy-six percent of those surveyed by KPMG said they planned to make more investments in technology (i.e. software, firewalls, encryption), while 83 percent said they would invest in stronger policy/controls around data access and processes.

As entities build up their cybersecurity defenses, they will need to utilize the Security Rule to account for potential risks and adopt cybersecurity measures that match their specific needs and infrastructure goals.

Understanding the HIPAA Security Rule, its required safeguards, and other key measures will help healthcare providers create a current and comprehensive approach to data security.

What are the required safeguards under the HIPAA Security Rule?

The Security Rule requires covered entities to maintain reasonable and appropriate administrative safeguards, technical safeguards, and physical safeguards.

Administrative safeguards are policies and procedures designed “to manage the selection, development, implementation, and maintenance of security measures to protect electronic protected health information and to manage the conduct of the covered entity’s workforce in relation to the protection of that information,” according to HHS.

Covered entities must implement policies and procedures that help guide employees in the proper care and use of ePHI. For example, security training requirements and correct delegation of certain security responsibilities would be classified as administrative safeguards.

HHS explains that technical safeguards are “the technology and the policy and procedures for its use that protect electronic protected health information and control access to it.” Technical safeguards include the specific technology that providers implement for ePHI security.

Anti-virus software, multi-factor or two-factor authentication, data encryption, de-identification of data, firewalls, mobile device management (MDM), and remote wipe capability are all types of technical safeguards.

Physical safeguards are “physical measures, policies, and procedures to protect a covered entity’s electronic information systems and related buildings and equipment, from natural and environmental hazards, and unauthorized intrusion,” HHS states.

For example, covered entities should review their facility access controls, workstation use, workstation security, and device and media controls during physical safeguard implementation.

All physical access to PHI and ePHI must be considered. Some healthcare organizations may have secondary physical locations where data is stored, or entities may allow employees to work from their own homes. These additional locations would need to be considered for complete data security.

The Security Rule does not require a standard checklist of specific safeguards. Instead, covered entities must utilize technologies and strategies that are “reasonable and appropriate” for their needs.

These needs can vary by organization size and type. For example, a large hospital system might allow physicians to use their own smartphones or tablets for work purposes. In this case, the hospital system would likely benefit from installing data encryption on the devices, or even having an MDM policy in place.

However, a single physician practice may not have the same technical safeguard needs. Instead, the practice could improve its security measures by having current anti-virus and anti-malware on its computer.

Lackluster or outdated safeguards can lead to healthcare data breaches, many of which have made recent headlines. In Marcy of 2017, a Pennsylvania grand jury indicted a former healthcare employee, following a 2013 data breach involving weak administrative safeguards.

The individual was able to use his passwords to defraud a healthcare organization. The facility had hired Brandon A. Coughlin in January 2013 to work as an in-house computer systems administrator. Coughlin resigned one month later at the management’s request.

“Using the administrative passwords he knew from his employment, on September 18, 2013, Coughlin hacked the computer network of the healthcare facility, disabled all administrative accounts needed to control any and all of the computer servers of the healthcare facility, and deleted users’ network shares, business data, and patient health information data, including patient medical records, causing a loss of more than $5000,” the Attorney’s Office explained.

Healthcare organizations need to diligently monitor their safeguards, ensuring they remain current and are updated as needed to account for new technologies or for changes in employment at their facilities.

What the Security Rule says about risk analyses

The Security Rule requires covered entities to perform a regular risk analysis as part of their administrative safeguards.

With a risk analysis, healthcare organizations must evaluate the likelihood and impact of potential risks to ePHI and then implement appropriate security measures to address identified risks. Additionally, entities will need to “document the chosen security measures and, where required, the rationale for adopting those measures and maintain continuous, reasonable, and appropriate security protections.”

HHS will use the following criteria to determine the likelihood that PHI was inappropriately used or disclosed in a potential breach:

• The nature of the information involved
• The authorized person responsible
• Whether PHI was actually acquired or viewed
• To what extent the risk to the PHI was mitigated

Covered entities can use these four factors to help assess their own potential risk areas. For example, a hospital should ensure it has properly documented which employees are allowed access to PHI, and to what extent that access is allowed. If there is a breach of information, the hospital can use its internal audit process to see if one of those employees was involved in the incident.

Risk analysis should be an ongoing process, with entities regularly reviewing their records and tracking PHI access to better detect security incidents, HHS stresses. Organizations will also benefit from conducting regular re-evaluations of potential PHI risks.

Entities must understand what the threats are, what their own abilities are, and what the resulting potential impact on them as a healthcare organization may be.

Staying up to date on potential risks can help guide investment. The 2018 HIMSS Analytics HIT Security and Risk Management Study found that 60 percent of healthcare providers identify risk assessments as the number one driver for security investments.

Additionally, 94 percent of IT leadership and professionals said risk assessment was a driver for security investments in 2017, while only 74 percent of respondents said the same the previous year.

Healthcare entities must be able to protect sensitive data, protect their ability to deliver care, have a quick response time, and ensure a minimal impact should an incident occur, said Axel Wirth, Symantec Healthcare Solutions Architect, to HealthITSecurity.com. Organizations need to make wise investments, especially because there is never enough money for security, he added.

“A risk analysis, risk assessment, risk management-driven approach is the right way of doing it,” he emphasized. “But understanding your risk and the spectrum of risk in healthcare is very broad.”

“Entities must understand what the threats are, what their own abilities are, and what the resulting potential impact on them as a healthcare organization may be.”

EHNAC: Risk Assessments, IoT Security Crucial in Attack Mitigation

Implementing the NIST CSF for Improved Healthcare Data Security

What are other key aspects of the Security Rule?

There are two types of measures within the Security Rule: required measures, which must be adopted, and addressable measures, which allow more flexibility based on the entity’s “reasonable and appropriate” needs.

Access control is one technical safeguard requirement that includes both required and addressable measures.

“Access controls provide users with rights and/or privileges to access and perform functions using information systems, applications, programs, or files,” the HHS Security Series explains.

“A covered entity can comply with this standard through a combination of access control methods and technical controls.”

There are four implementation specifications for access controls, half of which are required and half of which are addressable.

Unique user identification and an emergency access procedure are both required. In contrast, the implementation of an automatic logoff option and having encryption/decryption methods in place are considered addressable.

A hospital would be required to have unique user identifications in place for each employee. However, the hospital will need to determine through its risk analysis whether or not data encryption is appropriate. If BYOD options are available, the hospital may decide that data encryption is necessary to lower the risk of ePHI exposure as devices are moved from one place to another.

A covered entity must periodically review and update its documentation in response to environmental or organizational changes that affect the security of electronic protected health information (e-PHI).

This is also a good example of why a regular risk analysis is important for comprehensive data security. A provider that only recently implemented a new technology, such as BYOD, may have originally decided that there was no need for data encryption. But with the change in potential risk to ePHI through the portable devices, the entity may now determine that data encryption is necessary.

The Security Rule also discusses the importance of documenting policies and procedures.

“A covered entity must maintain, until six years after the later of the date of their creation or last effective date, written security policies and procedures and written records of required actions, activities or assessments,” HHS states.

“A covered entity must periodically review and update its documentation in response to environmental or organizational changes that affect the security of electronic protected health information (e-PHI).”

Healthcare organizations need to consider their documentation of policies and procedures. Employee training methods, ePHI storage and transfer, or connected medical devices all require documentation. Entities should note specific devices being used, and whether or not they store or transfer ePHI.

Thorough documentation is also critical for audit preparation, or for an OCR investigation in the wake of a data breach. Should a data breach occur at an organization, the potential subsequent OCR investigation will require that the entity submit all documentation that discusses their potential risk. Documentation on all data breach prevention, mitigation, and response must also be submitted for the audit process.

Comprehensive and current data security measures will also be key for a HIPAA audit, explained Stuart Pologe to HealthITSecurity.com in an earlier interview.

Pologe is COO of Night Nurse, a 24-hour, 365-days-a-year triage support and medical-home compliance provider which went through an in-depth risk assessment audit completed in early 2017.

The audit’s goal was to verify the integrity of patient-identifiable information (PII) and PHI in the organization’s systems.

“The questions required everything from base descriptions of our services and procedures to in-depth descriptions of each technical component of our system infrastructure,” Pologe said. “The report also required a vulnerability assessment for each technology component, and how these risks were mitigated.”

Phase one consisted of compiling the required documentation, which was quite extensive, he explained. The detailed, on-site inspection phase came next, and the final stage entailed remediation.

“The auditors provided extensive reporting and required areas of improvement, based on the many examinations conducted,” Pologe said. “Anything and everything considered a tangible risk was highlighted for mitigation. Additional requirements were provided with compliance time frames of 30 days, six months and one year to achieve the maximum level of compliance.”

Pologe added that the HIPAA audit may be a dreaded task for many organizations, and that it can be very time consuming. However, the audit process can help entities improve their compliance levels and better understand the many hidden risks that can lead to a data breach.

Using the HIPAA Security Rule as a guide will help healthcare providers find the right balance between innovation and security. Entities that implement meaningful technical, administrative, and physical safeguards that meet HIPAA specifications can adopt new technologies to improve patient care, but still ensure that PHI in all its forms stays secure.