Personal healthcare data is one of the most valuable types of data that cybercriminals can obtain. Meanwhile, to protect the healthcare data they possess, many healthcare organizations structure their cybersecurity efforts around HIPAA compliance alone.
Too often, this still leaves them vulnerable to attacks.
While compliance with HIPAA is a great starting point for healthcare data security, every healthcare organization needs a comprehensive cybersecurity program that goes beyond compliance to better prepare for a potential breach and protect your patients’ data.
Why healthcare data matters
Advances in technology have created an abundance of healthcare data. This wealth of information is great for healthcare professionals and patients, but it’s even better for cybercriminals.
Healthcare data presents a unique opportunity for cybercriminals to collect personal information (PI) from patients via data breaches, malware, viruses, and other malicious attacks.
Personal information is valuable to cybercriminals and other malicious actors because it doesn’t change over time. Unlike financial information, personal health information — name, date of birth, biometric information, and so forth — can be used over and over again to assist with identity theft or other forms of fraud.
For instance, if your credit card number is used without authorization, you or your bank can cancel it. You may even be reimbursed for any unauthorized purchases.
On the other hand, if your Social Security number is compromised, it typically can’t be changed; ditto for your date of birth or, say, a retina scan. So the information is much more valuable to malicious actors.
Medical records often contain multiple pieces of personal information: names, Social Security numbers, birth dates, insurance identification numbers, protected health information (PHI), and so forth. For this reason, medical records sold on the dark web often fetch a higher price than say, a credit card number.
The advent of electronic health records (EHRs) makes it even easier for cybercriminals to get hold of personal information. While medical records were once physically kept in filing cabinets on premises, most medical information is now stored electronically or in the cloud.
These days, a cybercriminal only needs to breach a healthcare organization’s network security system to gain access to patients’ personal information, which can then be sold on the dark web or encrypted and held for ransom.
The demand for EHRs is high, and malicious actors are always looking for new ways to access the personal information they contain. Since 2009, cybercriminals have stolen the medical records of more than 120 million people in at least 1,100 breaches.
At the same time, advances in healthcare technology give cybercriminals more opportunities to access sensitive healthcare data.
For example, with the rise of global issues such as the COVID-19 pandemic, more healthcare organizations are offering telehealth services to provide treatment from a safe distance. Communication technology is at the forefront of telehealth and creates even more opportunities for interception, negligence, or misuse of the information it produces.
Likewise, more healthcare organizations have also started to use the Internet of Things (IoT) to monitor patients’ health, heart rate, vital signs, exercise levels, and sleep quality.
As the amount of information collected about patients increases, so does the risk that that data will be breached and used with malicious intent.
The proliferation of EHRs, electronic health exchanges in which physicians share information, telehealth, IoT, and mobile technology to access health data have all created more access points for hackers than ever before.
The healthcare industry also has unique cybersecurity vulnerabilities that make it more prone to cyberattacks.
Most healthcare organizations have a large number of unauthorized people (such as patients and visitors) who can move freely in the facility. This increases the likelihood of physical access to a restricted area or system, as well as the number of unsecure devices that are connected to the network.
Even on secured devices, a medical facility’s own staff is vulnerable to phishing attempts. A medical professional without proper cybersecurity training may accidentally open a phishing email on a secured device, which could lead to a healthcare data breach.
Ultimately, technological advancements are changing the landscape of the healthcare industry and healthcare organizations need to prepare themselves to meet these threats head-on.
As threats to cybersecurity continue to grow, it’s critical that healthcare organizations go above and beyond to protect their patients’ data.
Healthcare data security and HIPAA
Many healthcare organizations structure their cybersecurity efforts primarily around HIPAA compliance.
The Health Insurance Portability and Accountability Act (HIPAA) requires compliance for organizations that are defined as covered entities (those that transmit and collect PHI) and business associates (those that have access to the data of covered entities).
A HIPAA breach is “an impermissible use of disclosure under the Privacy Rule that compromises the security or privacy of the protected health information.” In other words, a breach occurs when information is shared with entities that don’t have the authority to see it.
An integral policy of the U.S. Department of Health and Human Services (HHS), HIPAA is a federal law that protects sensitive patient data against the unwelcomed eyes of hackers, identity thieves, spammers, and others.
HIPAA consists of five rules: the Security Rule, the Privacy Rule, the Enforcement Rule, the Omnibus Rule, and the Breach Notification Rule. These rules aim to safeguard patient data through a variety of approaches, and primarily serve as guidelines that covered entities need to follow to be considered compliant.
As part of the Security Rule, administrative safeguards approach privacy and cybersecurity issues from a management perspective, including:
- Security management processes including risk analysis, risk management, and information system activity review.
- Workforce security involving authorization or supervision, workforce clearance procedures, and termination procedures.
- Information access management deals with access authorization, access establishment, and modification.
- Security awareness and training includes security reminders, protection from malicious software, login monitoring, and password management.
- Contingency plans including data backups, disaster recovery, and emergency mode operations plans.
Physical safeguard standards are also put in place through the Security Rule to enable cybersecurity and privacy measures to operate efficiently, including:
- Facility access controls involving limitations on physical access, validation procedures, and maintenance records.
- Workstation and security focuses on restricting access to workstations, physical barriers, and keycard access.
- Device and media controls include disposal, media re-use, accountability, data backup and storage.
Technical safeguards assure that information is only accessed by authorized personnel and only transmitted over secured networks, including:
- Access control addresses unique user identification, emergency access procedures, automatic logoff, and encryption and decryption.
- Audit controls involve hardware, software, and procedural mechanisms for recording and examining activities.
- Integrity controls focus on mechanisms designed to authenticate e-PHI.
- Transmission security regulates integrity controls, encryption, and safeguards against unauthorized access of e-PHI during transmission.
The Office for Civil Rights (OCR) within HHS is the regulator tasked with enforcing the Privacy and Security Rules through voluntary compliance activities and civil money penalties. OCR is also the office that performs a compliance review in the event that a HIPAA violation claim is lodged against your organization.
Penalties for noncompliance include fines and possible jail time, so the healthcare industry focuses most of its attention on HIPAA compliance alone.
But is HIPAA compliance enough to protect your organization from growing cybersecurity threats to healthcare data?
Is HIPAA enough?
While HIPAA’s Security Rule can greatly reduce a healthcare organization’s cybersecurity risks, compliance with HIPAA alone does not protect covered entities and business associates from every potential cyber threat.
A Brookings Institution survey found that many information security experts believe HIPAA doesn’t sufficiently address modern cybersecurity challenges, especially in large organizations with sophisticated IT systems.
HIPAA compliance is primarily about documentation and procedures, not technical safeguards, and it fails to delineate specific technical requirements.
Unsurprisingly, the healthcare industry is the most likely industry to experience a data breach for this very reason. Reliance on HIPAA compliance alone opens up healthcare organizations to cybersecurity vulnerabilities that may not be fully articulated in HIPAA guidelines.
Because HIPAA only provides general recommendations, even full HIPAA compliance can leave organizations vulnerable to attacks. This is evidenced by the numerous healthcare breaches over the past few years.
To avoid the fines that come with a breach, healthcare organizations train their employees on HIPAA compliance. But this training needs to be part of a comprehensive cybersecurity program that educates employees on all aspects of data security best practices and threat awareness, including:
- Maintaining secure login credentials (translation: login information isn’t kept on Post-It notes stuck to computer screens)
- Creating strong passwords and changing them regularly
- Keeping private login credentials that aren’t shared with anyone
- Only logging into systems using secured networks on secured devices
- Spotting phishing emails and reporting them
- Never opening files from unknown sources
- Not removing hardware (laptops, tablets, and hard drives) from the building without authorization.
These measures, however, won’t guarantee that your organization is safe from a breach. A Ponemon Institute survey reports that half of all data breaches are the result of employee or third-party mistakes.
Even the best data security training program cannot eliminate human error; nor will it address the threat of malicious insiders who probe for ways to circumvent the rules.
Modern healthcare organizations need to employ comprehensive cybersecurity that combines HIPAA guidelines with continuous employee training, a culture of security awareness, and technical safeguards.
Cybersecurity beyond HIPAA
Technical safeguards provide an additional layer of protection against mistakes and insider theft.
Unfortunately, relying on employees to monitor networks for aberrant behavior is impractical and ineffective.
Therefore, healthcare organizations need to employ automated systems that continuously monitor their network, establish a baseline pattern for each individual user, detect deviations from that pattern, and require additional authentication before allowing a user to proceed, while also reporting the incident to the IT security team.
In addition to following HIPAA guidelines, organizations can also draw from the National Institute of Standards and Technology (NIST) guide titled “Framework for Improving Critical Infrastructure Cybersecurity.”
NIST’s Framework Core is a set of cybersecurity guidelines that are common to most organizations with a critical infrastructure. The framework can help organizations view and understand how to align its cybersecurity activities with its needs, tolerances, and resources.
Together, HIPAA’s Security Rule and NIST’s Framework can greatly reduce a healthcare organization’s cybersecurity risks.
Additionally, the more budget and resources that go to IT security personnel, the better the organization will fare when cyber threats inevitably arise.
How ZenGRC can help
HIPAA compliance can be a daunting task. There are more than 100 pages of rules to follow, and HIPAA regulations change constantly to address new aspects of e-PHI, patient rights, and cybersecurity.
Healthcare organizations and their business associates must, however, perform their due diligence to remain HIPAA compliant. That means constantly monitoring data activity and improving security measures that protect unauthorized access to medical records.
Fortunately, automated tools can help you connect the continuous monitoring of a security-first approach to HIPAA compliance with the documentation required.
ZenGRC from Reciprocity can help to ease the process of conducting a HIPAA security risk assessment and preparing the necessary documentation to support your compliance stance.
Easy compliance templates make self-audits a breeze, while a central dashboard tells you where gaps exist in your compliance documentation, and how to fill them.
Furthermore, ZenGRC can audit your compliance documentation across frameworks so you can streamline your efforts whether they be for HIPAA, NIST, HITECH Act, or any other healthcare-related requirements.
GRC automation enables organizations to focus on the fundamental issues of compliance while eliminating the tedious tasks that often make compliance feel like a burden. Not only does this help compliance officers feel more effective at their jobs, it also makes organizations more efficient at the ongoing task of governance and continuous monitoring.
Worry-free HIPAA compliance is the first step to creating a comprehensive cybersecurity program.