iPhones, android phones, mobile devices, ransomware and the Cloud are just a few of the huge information security threats facing all healthcare organizations today.
It's critical that healthcare organizations, big and small, ensure that their Protected Health Information and technology infrastructure is secure...a task that's exponentially more complicated because of mobile devices.
Adding to concerns is the Internet of Things (IoT), which is a critical part of the medical information industry. Web-connected wearables and devices have very weak security and must be properly managed and secured...or you risk security breaks, data capture and heavy fines!
The HIPAA Security Rule Governs Cybersecurity
The security protections of HIPAA are separated into three safeguards:
- Administrative safeguards
- Technical safeguards
- Physical safeguards
Human errors are the #1 reason for security breaches and HIPAA violations. Here are the required administrative safeguards under The Security Rule:
- Employee training and management: You need to identify, authorize and supervise all members of your team who handle Protected Health Information (PHI). The security policies and procedures you adopt must be conveyed through ongoing training and written documents. Training must occur and be updated on an annual basis, and you must provide evidence of your training efforts.
- Role-based Access: The Security Rule mandates that you create role-based access to confidential information by writing policies and procedures requiring that authorized access matches the role of the user.
- Security Officer: Your designated security officer is assigned to protect your organization by creating and enforcing security policies and procedures.
- Risk Assessment: You are required to have appropriate policies and procedures developed through annual risk assessments that are conducted with your entire organization and all your business associates.
Your HIPAA technical safeguards must include the following items:
- Transmitting Data: A HIPAA compliant technical services entity must protect health information moving through your network.
- Audits: Audits must be regularly implemented to analyze access and user behaviors related to PHI.
- Policies and Procedures: There must be policies and procedures in place by HIPAA compliant entities and business associates to limit ePHI access to authorized parties.
- Destruction and Modification: Procedures must be in place to guard against unlawful destruction or modification of PHI.
Physical safeguards with policies and procedures must be developed to properly manage your Protected Health Information systems:
- Review facilities access and controls
- Review workstation use and security
- Review device use and security
- Remote work locations must be secure
In addition to administrative, technical and physical safeguards, there are many other responsibilities a healthcare organization must address to ensure proper cybersecurity and HIPAA compliance. These include:
Cybersecurity with Your Business Associates
Analyzing Business Associate relationships begins with a risk assessment. The outcome of your risk assessment will guide the development of your Business Associate Agreement. Choosing Business Associates that are willing to go beyond HIPAA security efforts will provide you with additional assurance of meeting HIPAA and industry standards.
Unsecured Mobile Devices
The number of different mobile devices you and your employees use at work and home is growing exponentially every year! Every time one of your employees brings a mobile device to work, your compliance threats automatically increase...potentially causing impending threats to your HIPAA control and expanding your organization's vulnerability to hacking and security breaches!
Bring Your Own Device (BYOD) has greatly improved employee efficiency and is important to employees, especially with new hires. However, allowing access by these devices to your controlled system and network must be supported by proper and HIPAA-level security protections.
Protection can’t be solved by technology alone... Your employees must be aware and knowledgeable!
There must be ongoing security training when allowing the use of mobile devices. If you want to protect your organization from hacking, security breaches, and be HIPAA compliant, you must add an additional authentication capability to your procedures which all employees and management must follow!
As we explained in Are you HIPAA Compliant?, a very large percentage of breaches and fines are caused by carelessness and human error. Whether it's leaving an open file on your desk, misplacing it, opening a phishing email, or forgetting to shred a document...
Human error is to blame for a large portion of HIPAA violations and fines!
With HIPAA, you are legally required to have written policies, procedures and training for your employees and especially your management team...and these individuals must attest to their participation and sign-off every year. Without this, you will not be compliant...and you also make yourself and your organization vulnerable to breaches and ransomware.
It is critical to hold employee and management training sessions on a regular basis. You are required to provide evidence by having all employees acknowledge their attendance in writing. These training sessions need to focus on key points of security weaknesses, like phishing emails, password best-practices, social media policies and logging off a computer when leaving a workstation.
Even though the Cloud has been a tremendous innovation for the healthcare industry, it doesn’t come without concerns. Compliance and security risks must be considered and corrective action taken when considering PHI and your organization.
As your organization works with and transfers large pools of confidential information, the burden is on your IT staff to maintain their security skills with all the changes caused by Cloud computing.
The Department of Health and Human Services Office has issued the guidance on HIPAA and Cloud computing that explains what you need to do regarding your presence in the Cloud. This guideline states that all the Cloud providers you regard as Business Associates must have a written BAA with your organization.
Accessing information via mobile devices in the Cloud is appropriate as long as you follow the HIPAA Security rule that you have administrative, technical and physical safeguards in place to protect the ePHI...and you must prove those safeguards are in place!
In 2017, 88% of all ransomware attacks targeted the healthcare industry, and it doesn’t look like this focus will calm down in 2019 or beyond!
The majority of ransomware breaches are caused by phishing emails, which is a user-based mechanism that tricks people into clicking on emails that allows malicious software to penetrate the IT of the entire organization. As stated in Are You Compliant?, in 2019 there are 12 Minnesota companies so far this year whose data has been breached and are now positioned on the Wall of Shame. 80% of these breaches were caused by employees clicking on phishing emails! What does this mean for your organization?
Your organization needs to determine where your weaknesses lie and decide how to block the path a cyber-criminal or hacker might take by breaching your security with malware! Healthcare is the Number One hacked industry because PHI is extremely valuable on the Dark Web and black market.
You need to have internal training and education on how to prevent your organization from being victimized by ransomware, and you absolutely need a strong IT provider who works with cyber-security every day in the healthcare industry!
IOT (Internet of Things)
The healthcare industry, reluctant to embrace many of the new technologies introduced over the past five years, has totally embraced IOT. The reason is because of the great benefits for patients who use wearables and implantable IOT medical devices such as heart monitors, pacemakers, and insulin pumps, to name a few.
With all these items now connected to the Internet, the software is vulnerable to hacking and cyber-attacks. One of the major security issues is how the data is collected by the device and then transmitted to the hospital or clinic. From an ePHI and HIPAA compliance standpoint, this is a risk your organization must understand, accept, and then develop the means to protect itself.
The truth is, many of these IOT wearable devices are not capable of endpoint security, leaving your organization vulnerable and liable! With the number of IOT devices increasing every year, it is critical to have a plan in place to protect your HIPAA data. The only way to do this is to work with an experienced IT provider who can safeguard your data and protect you from enormous HIPAA fines.
Cybersecurity and HIPAA compliance are strongly linked. It's important to remember that being HIPAA compliant does not make your entire organization secure from hackers, and having a robust cyber-security plan also does not make you HIPAA compliant. Your organization needs a comprehensive HIPAA compliance and security provider to guarantee the security of your data...upon which your clients depend and expect from you.