The healthcare sector has faced significant privacy and data challenges for decades. With everything going digital, these challenges have become even more pressing. Healthcare organizations are prime targets for cybercriminals, facing a surge in ransomware attacks, data breaches, phishing scams, and other malicious activities.
In a world where data storage and communication with patients heavily rely on digital platforms, how can healthcare organizations become cyber resilient?
HIPPA Compliance–More than Just a Checkmark
Health Insurance Portability and Accountability ACT (HIPPA) was established in 1996 to protect sensitive health information and medical records from unauthorized disclosure. The HIPPA Privacy Rule was established to safeguard protected health information (PHI) while HIPPA Security Rule covers anything produced, saved, transferred, or received in an electronic form known as, electronic protect health information (e-PHI).
Healthcare organizations, including hospitals, doctor's offices, and health insurance providers must abide by HIPPA Security Rule guidelines when handling ePHI, including when patient data is at rest and in transit.
Below are safeguards that organizations must implement to protect e-PHI and comply with healthcare regulations:
1. Administrative Safeguards
Organizations must develop management processes to create security measures that identify, analyze, and mitigate potential risk. While protecting patient safety and data is a shared responsibility, there must be a designated security official or team that is responsible for developing and deploying the security policies and procedures that comply with HIPPA Privacy Rule and Security Rule. After deploying these policies and procedures, the security official or team should provide appropriate security training and awareness to all healthcare organization employees. Finally, IT or security officials should continuously monitor and evaluate the effectiveness of security policies and procedures to ensure compliance with the Security Rule.
2. Physical Safeguards
At the physical healthcare locations, staff must limit physical access to some areas of the buildings and ensure only authorized individuals are allowed. The elected security official or team should adopt policies and procedures to specify proper use of and access to workstations, electronic media, and e-PHI. A plan should be in place for the transfer, removal, disposal, and re-use of electronic media. By strengthening access control, audit controls, integrity controls, and transmission security, healthcare organizations can proactively mitigate potential risk and protect e-PHI.
Common HIPAA Violations and Their Consequences
Healthcare organizations must comply with HIPPA regulations. If they don’t, they are faced with potential penalties and reputational damage such as lack of patient trust, loss of credibility, and challenges in recruiting staff.
Below outlines common HIPPA violations and real-life examples:
Lack of Risk Management Process
One of the most common HIPPA violations is the failure to conduct regular risk analysis to identify potential vulnerabilities in PHI and e-PHI. Neglecting ongoing monitoring and risk analysis leaves a window open for malicious actors to exploit the systems and platforms. In 2015, Lahey Hospital and Medical Center in Massachusetts faced a data breach that resulted in a $850,000 settlement and two year corrective action plan (CAP), along with other violations, due to their failure to conduct a thorough risk analysis of all their e-PHI.
Performing a risk analysis is not just a checkbox, it’s essential. It’s the starting point for creating a risk management process. After identifying risks through a risk analysis, they must be prioritized and addressed within a reasonable time frame. Failure to address identified risks in PHI and e-PHI compromises patient data and information. For example, Metro Community Provider Network (MCPN) in Colorado was penalized for security management process failures that led to a phishing attack. MCPN agreed to pay $400,000 and were put in a correction action process.
Failure to Safeguard e-PHI on Portable Devices
The HIPPA Security Rule requires healthcare providers and organizations to limit access to e-PHI. Failure to implement appropriate e-PHI access controls constitutes a violation of the Security Rule. The health insurance provider formerly known as Anthem Inc was penalized $16,000,000 and had to take a correction action plan for failing to provide adequate access controls and violating other HIPPA regulations.
While encryption isn’t mandatory under HIPPA Rules, it’s highly recommended to safeguard e-PHI on portable devices. As most communication between a healthcare provider and patient is online, it’s crucial to ensure that the data is protected both in transit and at rest. Failure to protect e-PHI on mobile devices can lead to serious consequences.
Failure to Issue Breach Notification – 60 Day Rule
The HIPPA Breach Notification Rule requires covered entities to issue notification of breaches without unnecessary delay, and no later than 60 days following the discovery of a data breach. Failure to report discovered data breaches can lead to loss of credibility, loss of trust of patients, and significant penalties.
For example, Oklahoma State University Center for Health Sciences had to pay a $875,000 settlement for multiple HIPPA violations including not disclosing a breach within the 60-day timeframe
These are just a few of many common violations and the consequences for not complying with HIPPA Regulations and Rules. To read more about strengthening cybersecurity defenses for healthcare organizations, visit our Library, and stay tuned for part two of this blog series which will explore the growing epidemic of data breaches in the healthcare sector.