Cybersecurity for HIPAA Compliance
How Healthcare Organizations Can Safeguard Patient Information
OpenVPN Cloud is now CloudConnexa® — learn more here.
How CloudConnexa® Supports HIPAA Compliance
Cloud Connexa gives you everything you need to enable a variety of use cases critical to your HIPAA compliance efforts:
Secure Remote Access | Secure IoT Communications | Protecting Access to SaaS Applications | Site-to-Site Networking | Enforcing Zero Trust Access | Cyber Threat Protection and Content Filtering | Restricted Internet Access
Recommended Reading: Want a deep dive on the technical specifications of Cloud Connexa? Download this datasheet.
How Healthcare Organizations Can Safeguard Patient Information
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) sets national healthcare industry standards for:
According to the Centers for Medicare and Medicaid Services, the purpose of HIPAA is “To reduce paperwork and streamline business processes across the health care system.” The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) enforces HIPAA regulations.
One element of HIPAA, the HIPAA Security Rule, sets requirements for protecting electronically protected health information (ePHI). Health plans, healthcare clearinghouses, and healthcare providers — also known as covered entities — must protect patient data with “appropriate administrative, physical and technical safeguards.” These security measures are meant to “ensure the confidentiality, integrity, and security” of data, and apply to the covered entities, as well as their business associates.
Under HIPAA and the Privacy Rule, healthcare organizations must have safeguards in place for 18 specific patient identifiers:
- Address (including any information more localized than state)
- Any dates related to the individual, including birthdays, date of death, date of admission/discharge, etc. (years are excluded)
- Telephone number
- Fax number
- Email address
- Social Security number
- Medical record number
- Health plan beneficiary number
- Account number
- Certificate/license number
- Vehicle identifiers, serial numbers, license plate numbers
- Device identification or serial numbers
- Web URLs
- IP address
- Biometric identifiers (e.g., fingerprints)
- Full-face photos
- Any other unique identifying numbers, characteristics, or codes
Good to Know: What’s the difference between the HIPAA Privacy Rule and the HIPAA Security Rule? The Privacy Rule sets standards for who has access to protected health information (PHI), and the Security Rule sets standards that ensure only those with access to ePHI will actually have access.
Why Cybercriminals Want Healthcare Data
Black-hat hackers are most often motivated by money, and that’s the case when it comes to health records. Steve Morgan, Editor-in-Chief of Cybercrime Magazine, writes, “Healthcare has lagged behind other industries and the tantalizing target on its back is attributable to outdated IT systems, fewer cybersecurity protocols and IT staff, extremely valuable data, and the pressing need for medical practices and hospitals to pay ransoms quickly to regain data.” Although it’s rare, failure to pay ransomware can even devolve into a killware situation.
Cybersecurity insurance provider NOW Insurance reports that PHI has a higher value than other sensitive data because:
- Healthcare organizations are willing to pay higher ransoms to recover data acquired in a breach to avoid damaging patient trust and brand value.
- In addition to accessing bank accounts and credit card numbers, dark web buyers can use PHI to illegally get and sell prescriptions, acquire expensive treatment, and file fraudulent medical claims for insurance payouts. They can also buy email addresses to spam with malware.
According to Health IT Security, in 2021, HHS recorded 550 cyberattacks against healthcare organizations, with a total of 40 million people impacted. Keep in mind that HIPAA only requires covered entities to report healthcare data breaches that affect 500 or more people, so many more are likely not reported.
Good to Know: An electronic health record (EHR), a critical component of Health IT, is a real-time, digital version of a patient chart.
HIPAA Violation Tiers and Fines
The consequences of not being HIPAA compliant varies based on the violation severity. OCR remediation efforts may involve voluntary compliance or technical guidance. Serious and/or persistent noncompliance issues can lead to fines based on the following structure:
- Tier 1: Minimum fine of $100 per violation up to $50,000
- Tier 2: Minimum fine of $1,000 per violation up to $50,000
- Tier 3: Minimum fine of $10,000 per violation up to $50,000
- Tier 4: Minimum fine of $50,000 per violation
Failure to address network vulnerabilities and cybersecurity risks is costly. In January 2021, insurance provider Lifetime Healthcare Companies paid a $5.1 million settlement for a data breach that affected more than 9.3 million people. In July 2020, Lifespan Health System paid $1,040,000 when a stolen, unencrypted laptop led to a breach that violated both the Security and Privacy Rules. Another 2020 breach affected over 10.4 million people, resulting in a $6.85 million penalty.
Cybersecurity Measures for Patient Data Protection
Digital transformation benefits healthcare providers and patients, but it does come with security risks. Fortunately, there are robust, reliable cybersecurity measures and tools you can use to mitigate cyber threats and protect sensitive data.
The HIPAA Security Rule Crosswalk to NIST Cybersecurity Framework “identifies ‘mappings’ between the Cybersecurity Framework and the HIPAA Security Rule.” Organizations can use this to conduct risk assessments and identify gaps and weaknesses in Technical Safeguards (Access Control, Integrity Control, Transmission Security, Audit Controls).
The Security Rule defines access as “the ability or the means necessary to read, write, modify, or communicate data/information or otherwise use any system resource. (This definition applies to “access” as used in this subpart, not as used in subpart E of this part [the HIPAA Privacy Rule]).”
Total HIPAA, a HIPAA compliance documentation and training provider, explains that, “A covered entity must implement centrally-controlled unique credentials for each user and establish procedures to govern the release or disclosure of ePHI during an emergency, automatic log off, and encryption. This is especially useful to pinpoint the source or cause of any security violations.”
Within the Security Rule, integrity is defined as “the property that data or information have not been altered or destroyed in an unauthorized manner” and requires covered entities to “Implement policies and procedures to protect electronic protected health information from improper alteration or destruction.”
The HIPAA Transmission Security standard requires covered entities to “Implement technical security measures to guard against unauthorized access to electronic protected health information that is being transmitted over an electronic communications network.”
Encryption is a critical tool for meeting this requirement. HIPAA Journal points out that “The HIPAA encryption requirements have, for some, been a source of confusion” because “the technical safeguards relating to the encryption of Protected Health Information (PHI) are defined as ‘addressable’ requirements.” So, what does “addressable” mean? Per HIPAA Journal, “It actually means that the safeguard should be implemented.”
Covered entities need to transmit patient data outside firewalls and other onsite security measures. Encryption ensures ePHI is inaccessible to bad actors during transmission. Cloud Connexa helps healthcare organizations secure sensitive data by creating a private overlay network between systems and remote users using encryption and tunneling over the internet. This ensures that sensitive information is always protected during transmission.
The HIPAA Audit Control standard doesn’t have implementation specifications but does require covered entities to “Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information.”
HIPAA Conduit Exception Rule
According to the U.S. Department of Health & Human Services, the HIPAA Conduit Exception rule, ”...is limited to transmission-only services for PHI (whether in electronic or paper form), including any temporary storage of PHI incident to such transmission.”
So the rule only applies to PHI transmission-only services. But if the conduit stores PHI, it must be transient and not persistent in nature. This applies to the U.S. Postal Service and some private couriers — FedEx, UPS, DHL, and their electronic equivalents.
What about cloud service providers (CSPs)? Like the couriers mentioned above, any information stored by Cloud Connexa is transient, not persistent, and therefore qualifies for the HIPAA Conduit Exception Rule.
HIPAA Compliance and Risk Management in the Information Age
In 1996, when HIPAA became law, the healthcare industry was only beginning to undertake digital transformation. Now, 27 years later, healthcare has been radically transformed by the Internet of Things (IoT) and Industrial Internet of Things (IIoT). The benefits are immeasurable but do call for increased risk management to ensure data is secure at all times and in all places.
The Benefits of Using Cloud Connexa for HIPAA Compliance
- Support for Site-to-Site and Remote Access.
- Full-mesh connectivity without complex configuration.
- Unique local address range available for Customer use.
- Support for peer-to-peer communication.
- Enhanced security as only outgoing connections to Cloud Connexa are made.
- Firewalls don't need to be opened to allow incoming traffic from the internet.
- DNS-based content filtering.
- Device Enforcement makes it easy for admins to verify device identities before granting network access.
1Pv4 and 1Pv4
- Full RFC 1918 IPv4 private address range and IPv6 RFC 4193.
- IPv6 and IPv4 support.
- Virtual worldwide private secure networking IPv4 and IPv6 space for each Tenant/Customer.
- There is no limited list of protocols or service support.
- Improve network performance with smart routing.
- Increase redundancy with multiple network connections.
- IP-layer networking allows access to all IP-based services.
- Flexible routing of Internet traffic.
- Access private services by connecting to any of the worldwide regions.
- Customers can use their private DNS servers.
- Routing via domain names is an option, even if there are multiple networks with overlapping IP address ranges.
- Similar to per-app VPN policies, traffic can be steered into the VPN tunnel on a per-domain basis.
- Fully managed and hosted service.
- Point-and-click centralized management and configuration.
- Fast, easy creation and management of multiple wide-area private clouds (WPCs) from a single Owner account.
- Offline or online connection profile distribution.
- Assigned IP address to User devices and Connectors does not change or depend on a connection point.
- Supports LDAP and Security Assertion Markup Language (SAML) 2.0 identity federation for Single Sign On (SSO).
What is OpenVPN Connect?
OpenVPN Connect, the official client software developed and maintained by OpenVPN Inc., connects to Cloud Connexa, Access Server, or any OpenVPN protocol-compatible server or service. It supports 2FA and SAML authentication, and Windows, MacOS, Android, iOS, and ChromeOS versions are available.
Cloud Connexa — The Best Cybersecurity Solution for HIPAA Compliance
Unlike other solutions, Cloud Connexa:
- Provides a secure, distributed, virtualized networking platform with integrated essential value-add network security functions but with the flexibility to augment your security posture with add-on security controls implemented at your private internet gateway to meet your requirements.
- Consolidates advanced network security, secure remote access, advanced encryption, IP and domain routing, essential intrusion detection and prevention, safe content filtering, and firewall capabilities into a single cloud-based service.
- Leverages the market-proven, open source OpenVPN tunneling protocol that boasts over 60 million downloads.
- Reduces the cost and complexity for smaller mid market businesses and branch locations for larger enterprises.
- Provides the network security and role-based secure access foundational to zero trust networking.
- Uses Application Domain-based Routing so you can easily route traffic to applications distributed among your various connected private networks using the application's domain name as a route to the network where that application resides.
- Goes beyond tunneling traffic to private resources on your network and gives you unmatched control over internet-bound traffic routing by User Group, Network, or Host.
- Uses our multi-tenant cloud-delivered service for immediate, on-demand creation of a dedicated worldwide private overlay network, with built-in security features, exclusively for your use.
- Gives network administrators the ability to quickly and easily scale connections on demand.
Recommended Viewing: See how Cloud Connexa lets you quickly, easily enable Multi-Factor Authentication (MFA) to keep unauthorized users out of your network.
Get Started with Cloud Connexa Now — for Free — and Scale to Paid When You’re Ready
Cloud Connexa takes the cost and complexity out of secure connectivity to keep your business operating safely and efficiently by reliably identifying and routing trusted applications and traffic using an integrated multi-tenant virtual network with built-in critical security functions.
Plus, our subscriptions are based on concurrent connections, not users, so you pay for what you actually use. Get started with three free connections — no credit card required — and scale to paid whenever you like. If you’re ready to make Cloud Connexa part of your healthcare and HIPA