The Health Insurance Portability and Accountability Act (HIPAA) is a complex law with a broad scope that was introduced in 1996 to make health insurance plans more transferable between employers, as well as to protect patient privacy. Compliance is mandatory for any organization that handles protected health information (PHI). In addition to healthcare facilities themselves, this includes all organizations that handle PHI data on their behalf.
What does HIPAA mean for IT?
HIPAA legislation is unsurprisingly vague with regards to exactly which technical requirements IT teams need to provision. After all, IT environments were very different back in the 90s, long before cloud and mobile computing became a thing. Even in the last few years, technology has changed a great deal, and new threats to sensitive information are appearing every day. Because of this, healthcare IT teams, and any third parties they work with, must regularly audit their technology infrastructures to ensure that they meet the HIPAA compliance requirements.
Related article: IT Items That Should Be on Every HIPAA Compliance Checklist
#1. Implement multi-layered access controls
Passwords have long played a central role in protecting digital assets, but they are not enough by themselves. Having a strong password policy that prohibits weak passwords is important, but even these may be susceptible to social engineering attacks. Cybercriminals often target the healthcare sector in an attempt to dupe employees into giving away their login information.
However, social engineering scams are far less likely to succeed if your systems are protected behind multiple user verification levels. For example, a login from a new device or network, or an unfamiliar location, might prompt users to verify their identities. Multifactor authentication (MFA) is a popular and effective way to exponentially improve security.
#2. Encrypt all data in storage and in transit
Unencrypted digital data is highly vulnerable to a breach, even if access to the device or user account is protected by multiple user verification layers. For example, data being transmitted over a poorly secured wireless network, such as a public WiFi hotspot, is especially vulnerable to eavesdroppers and man-in-the-middle attacks.
All healthcare data should be encrypted, whether it’s in storage or being transmitted. Cloud storage services must provide encryption in order to meet HIPAA compliance requirements. Moreover, all online communication channels, such as instant messaging and telemedicine services, should have full end-to-end encryption enabled.
#3. Factor in backup and disaster recovery
Healthcare records must generally be stored for at least six years. However, regardless of the legal data retention requirements, the sudden and unexpected loss of healthcare data can be severely detrimental to patients. Healthcare facilities are often targeted by ransomware and other threats, so it’s essential to take steps to mitigate these risks.
A robust backup and disaster recovery strategy is critical for meeting the HIPAA compliance requirements, as well as ensuring the safety of patients. Organizations should backup all their data incrementally at regular intervals, and they should have at least three copies, including a copy stored in an off-site location.
#4. Prevent leaks with data loss prevention
Data breaches aren’t always the result of deliberately malicious activity. Many are innocent mistakes, and though these can be mitigated by training, it’s crucial that you prepare for the worst and implement a robust way of enforcing your compliance and security policies. This will help you meet the accountability requirements of the HIPAA law as well.
Data loss prevention (DLP) offers a technical solution that monitors outgoing communications for potential data leaks. For example, if it discovers sensitive data, such as social insurance numbers, being sent over an insecure or prohibited channel like email, it will stop the message from going through. An administrator can then review the activity and identify the root cause.
#5. Establish granular auditing trails for PHI
Perhaps the most alarming thing of all about data breaches is that most aren’t discovered until months after they’ve occurred, which is usually long after the stolen data has ended up on the dark web markets. Most of the time, this enormous delay is down to a lack of auditable controls and administrative oversight, and it’s a common problem in today’s disparate IT environments.
Related article: Achieving HIPAA IT Compliance: Begin Preparing for Success Now
Fortunately, every digital activity leaves an auditable trail of data. This provides insights into things like access attempts, account activities, and potential data exfiltration. However, for this to be effective, it is necessary to adopt the principle of least privilege, where employees only have access to the data they need to do their jobs. IT systems also need to be consolidated and monitored centrally by a security team to ensure that nothing gets overlooked.
Charles IT provides comprehensive HIPAA compliance assessments and security services to protect your organization from data leaks and other cyberthreats. Contact us today to find out more.
Editor's Note: This blog was originally published on April 2, 2021. It was edited on June 28, 2023 for accuracy.