Cybersecurity for HIPAA Compliance
How Healthcare Organizations Can Safeguard Patient Information
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) sets national healthcare industry standards for:
According to the Centers for Medicare and Medicaid Services, the purpose of HIPAA is “To reduce paperwork and streamline business processes across the health care system.” The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) enforces HIPAA regulations.
One element of HIPAA, the HIPAA Security Rule, sets requirements for protecting electronically protected health information (ePHI). Health plans, healthcare clearinghouses, and healthcare providers — also known as covered entities — must protect patient data with “appropriate administrative, physical and technical safeguards.” These security measures are meant to “ensure the confidentiality, integrity, and security” of data” and apply to business associates of the entities, too.
Under HIPAA and the Privacy Rule, healthcare organizations must have safeguards in place for 18 specific patient identifiers:
- Address (Including any information more localized than state).
- Any dates related to the individual, including birthdays, date of death, date of admission/discharge, etc. (years are excluded).
- Telephone number.
- Fax number.
- Email address.
- Social Security number.
- Medical record number.
- Health plan beneficiary number.
- Account number.
- Certificate/license number.
- Vehicle identifiers, serial numbers, license plate numbers.
- Device identification or serial numbers.
- Web URLs.
- IP address.
- Biometric identifiers (e.g., fingerprints).
- Full-face photos.
- Any other unique identifying numbers, characteristics, or codes.
Good to Know: What’s the difference between the HIPAA Privacy Rule and the HIPAA Security Rule? The Privacy Rule sets standards for who has access to protected health information (PHI), and the Security Rule sets standards that ensure only those with access to ePHI will actually have access.
Why Cybercriminals Want Healthcare Data
Black-hat hackers are motivated mainly by money, and that’s the case when it comes to health records. Steve Morgan, Editor-in-Chief of Cybercrime Magazine, writes, “Healthcare has lagged behind other industries and the tantalizing target on its back is attributable to outdated IT systems, fewer cybersecurity protocols and IT staff, extremely valuable data, and the pressing need for medical practices and hospitals to pay ransoms quickly to regain data.” Although it’s rare, failure to pay ransomware can even devolve into a killware situation.
Cybersecurity insurance provider NOW Insurance reports that PHI has a higher value than other sensitive data because:
- Healthcare organizations are willing to pay higher ransoms to recover data acquired in a breach to avoid damaging patient trust and brand value.
- In addition to accessing bank accounts and credit card numbers, dark web buyers can use PHI to get and sell prescriptions illegally, acquire expensive treatment, and file fraudulent medical claims for insurance payouts. They can also buy email addresses to spam with malware.
According to Health IT Security, in 2021, HHS recorded 550 cyberattacks against healthcare organizations, with a total of 40 million people impacted. Keep in mind that HIPAA only requires covered entities to report healthcare data breaches that affect 500 or more people, so many more are likely not reported.
Good to Know: An electronic health record (EHR), a critical component of Health IT, is a real-time, digital version of a patient chart.
HIPAA Violation Tiers and Fines
The consequences of not being HIPAA compliant varies based on the violation severity. OCR remediation efforts may involve voluntary compliance or technical guidance. Serious and/or persistent noncompliance issues can lead to fines based on the following structure:
- Tier 1: Minimum fine of $100 per violation up to $50,000.
- Tier 2: Minimum fine of $1,000 per violation up to $50,000.
- Tier 3: Minimum fine of $10,000 per violation up to $50,000.
- Tier 4: Minimum fine of $50,000 per violation.
Failure to address network vulnerabilities and cybersecurity risks is costly. In January 2021, insurance provider Lifetime Healthcare Companies paid a $5.1 million settlement for a data breach that affected more than 9.3 million people. In July 2020, Lifespan Health System paid $1,040,000 when a stolen, unencrypted laptop led to a breach that violated both the Security and Privacy Rules. Another 2020 breach affected over 10.4 million people, resulting in a $6.85 million penalty.
Cybersecurity Measures for Patient Data Protection
Digital transformation benefits healthcare providers and patients, but it does come with security risks. Fortunately, there are robust, reliable cybersecurity measures and tools you can take to mitigate cyber threats and protect sensitive data.
The HIPAA Security Rule Crosswalk to NIST Cybersecurity Framework “identifies ‘mappings’ between the Cybersecurity Framework and the HIPAA Security Rule.” Organizations can use this to conduct risk assessments and identify gaps and weaknesses in Technical Safeguards (Access Control, Integrity Control, Transmission Security, Audit Controls).
The Security Rule defines access as “the ability or the means necessary to read, write, modify, or communicate data/information or otherwise use any system resource. (This definition applies to 'access' as used in this subpart, not as used in subpart E of this part [the HIPAA Privacy Rule]).”
Total HIPAA, a HIPAA compliance documentation and training provider, explains, “A covered entity must implement centrally-controlled unique credentials for each user and establish procedures to govern the release or disclosure of ePHI during an emergency, automatic log off, and encryption. This is especially useful to pinpoint the source or cause of any security violations.” In addition to encryption (see below), OpenVPN Cloud provides MFA and supports identity federation with SAML. Role-based and identity-based access control for systems holding PHI can be configured at the network layer for hybrid and remote workforces to help meet the Access Control standard.
The Security Rule defines integrity as “the property that data or information have not been altered or destroyed in an unauthorized manner.” It requires covered entities to “Implement policies and procedures to protect electronic protected health information from improper alteration or destruction.”
The HIPAA Transmission Security standard requires covered entities to “Implement technical security measures to guard against unauthorized access to electronic protected health information that is being transmitted over an electronic communications network.”
Encryption is a critical tool for meeting this requirement. HIPAA Journal points out that “The HIPAA encryption requirements have, for some, been a source of confusion” because “the technical safeguards relating to the encryption of Protected Health Information (PHI) are defined as ‘addressable’ requirements.” So, what does “addressable” mean? “It actually means that the safeguard should be implemented.”
Covered entities must transmit patient data outside firewalls and other onsite security measures. Encryption ensures that ePHI is inaccessible to bad actors during transmission. OpenVPN Cloud helps healthcare organizations secure sensitive data by creating a private overlay network between systems and remote users using encryption and tunneling over the internet. This ensures that sensitive information is always protected during transmission.
The HIPAA Audit Control standard doesn’t have implementation specifications but does require covered entities to “Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information.”
In the event of a breach, audit controls can help identify the unauthorized person who accessed or used the PHI or to whom the disclosure was made (if known).
This means network administrators need the ability to identify risks and vulnerabilities across an organization. Cyber Shield, a built-in OpenVPN Cloud feature, simplifies this ask with:
- Traffic Reporting: Detailed statistics on traffic identified as malware and other threats, as well as the device that generated the traffic.
- DNS Filter Reporting: Details blocked domain events so Admins can identify user devices tied to DNS requests in a particular blocked category.
HIPAA Compliance and Risk Management in the Information Age
In 1996, when HIPAA became law, the healthcare industry was only beginning to undertake digital transformation. Now, 26 years later, healthcare has been radically transformed by the Internet of Things (IoT) and Industrial Internet of Things (IIoT). The benefits are immeasurable but do call for increased risk management to ensure data is secure at all times and in all places.
OpenVPN Cloud takes the complexity and high cost out of building and managing a secure network for your entire healthcare organization with a cloud-based solution that’s easy to deploy. Our virtualized network as a service (NaaS) solution ensures secure networking, remote access, and eﬀective content ﬁltering.
Built on the widely-adopted OpenVPN protocol with more than 60 million downloads and 20,000 commercial customers, our OpenVPN Cloud solution combines secure access control, advanced encryption, IP and domain routing, intrusion detection and prevention (IDS/IPS), safe content ﬁltering, and ﬁrewall capabilities into a virtualized, mesh-connected, high-speed NaaS with worldwide points of presence.
If you’re ready to make OpenVPN Cloud part of your healthcare and HIPAA compliance security stack, get started today with three free connections.