security rule

Most healthcare organizations follow the Privacy Rule, but tend to struggle with fulfilling the Security Rule’s requirements.   

security ruleDid you know that only 77% of healthcare organizations require both privacy and security training? While most healthcare entities follow the Privacy Rule fairly well, many aren’t compliant in the HIPAA Security Rule.

SEE ALSO: Snapshot of HIPAA and Healthcare Data Security

What’s the difference between the Privacy Rule and the Security Rule? Many organizations don’t realize these are separate rules that require attention. Here’s the difference:
  • Privacy Rule: Most organizations know this rule. It deals with patient information and keeping that information private. Organizations can’t release private data about a patient to anyone without the patient’s consent. 
  • Security Rule: This rule may not be as familiar to organizations. It deals with keeping protected health information (PHI) secure. Stolen PHI creates a lot of difficulties for patients; things like social security numbers are much harder to replace than credit cards.   
But how do you fulfill the technical requirements from the HIPAA Security Rule? Here are some security issues you must address in your organization.

Remote Access Security

Attackers commonly target organizations that use remote access applications. A vulnerable remote access application allows an attacker to completely bypass firewalls and gain direct access to office and patient data.

To protect your remote access, you should use these methods:

Two-factor authentication 
It’s not enough to have only a password. Configuring two-factor authentication means you use two of the following three aspects:
  • Something only the user knows (e.g., a username and password) 

  • Something only the user has (e.g., a cell phone or an rSA token) 

  • Something the user is (e.g., a fingerprint) 

Unique Usernames and passwords
Many companies often use usernames like “admin” and passwords like “password.” These make it very easy for a hacker to take control of your remote access.

SEE ALSO: How to Do Passwords Right: Password Management Best Practices

Instead, use a passphrase; pick a phrase like “I never wear shorts on Wednesdays” and add in some numbers and special characters. Your passphrase might look like something like “inwsoW1889!”

SEE ALSO: Healthcare's Password Security is Embarrassing

User Lockouts
Enable user lockouts to prevent a brute force password attack. After a specific number of failed login attempts, the user is locked out.

Limited access
Limit the number people who have remote access to PHI. Guest accounts should be disabled since they can allow anonymous access to your machine.

SEE ALSO: The Healthcare Threat is Imminent: Secure Remote Access Now!

Wireless Network Security

Today, most healthcare entities have wireless networks (i.e., Wi-Fi). Wi-Fi access has also become a waiting room norm. But many offices don’t have their Wi-Fi set up correctly with encryption, turning that free patient asset into a liability.

SEE ALSO: Wireless Access Point Protection: Finding Rogue Wi-Fi Networks
Here are some ways to secure your wireless network:

Use WPA2 encryption
Set up your Wi-Fi with a WPA2. Do NOT use outdated WEP encryption, since it’s easy to compromise.

Have firewall segmentation
Guest wireless networks should always be segmented from your non-guest wireless network by a firewall. For example, if your Wi-Fi network name was drdaniels, you could set up another Wi-Fi network just for patients named drdanielsguest. Nurses, office managers, and physicians should only use drdaniels, and patients should only be allowed to use drdanielsguest.

Scan Rogue Wireless Points
Rogue wireless points can let attackers get access to secure networks. Scan for these points especially if they’re attached to your non-guest network.

SEE ALSO: Could Your Waiting Room Wi-Fi Be Sabotaged?


Only 63% of healthcare organizations encrypt PHI on work devices. The HIPAA Security Rule requires healthcare entities have a method to encrypt and decrypt electronic PHI. This includes all PHI in all devices (desktop, laptop, mobile devices, flash drive, etc.).

There are three common data handling practices organizations tend to confuse:
  • Masking: hides part of the data from view. This is NOT encryption
  • Hashing: runs the data through a math algorithm that encrypts it. This method does not decrypt the data, and generally shouldn’t be used for PHI
  • Encrypting: similar to hashing, but it uses a math algorithm with an encrypting key to encrypt and decrypt your data
Many organizations confuse encrypting with masking, but only encrypting truly keeps your data safe from hackers.

HIPAA privacy rule, security requirementsHere are some security tips with encryption:

Encrypt mobile devices 
Most mobile devices, like phones and tablets, aren’t equipped with the most secure encryption. If your mobile device is handling sensitive data, have procedures set in place to keep your data secure.

SEE ALSO: Balancing Mobile Convenience and PHI Security

Encrypt email messages 
Securely transmitting patient data over email
is a challenge for healthcare. Even with encryption, email still isn’t very secure.

Use patient portals for sending information to patients, and secure file transfer options for covered entity to covered entity or covered entity to business associate communications. If that’s not possible, make sure the data you’re sending over email is encrypted.

SEE ALSO: How to Send a HIPAA Compliant Email

Use recommended encryptions
Although HIPAA doesn’t specify an encryption, it’s best to use AES-128, Triple DES, AES-256, or better.

Vulnerability Scans

A very high percentage of breaches could have been prevented by finding and addressing vulnerabilities through a vulnerability scan.

Vulnerability scans assess computers, systems, and networks for security vulnerabilities. They can be started manually or on an automated basis, and will complete in as little as several minutes to as long as several hours.

However, vulnerability scans don’t go beyond reporting vulnerabilities. It’s up to the organization’s risk or IT staff to patch weaknesses, confirm false positives (looks like a vulnerability but isn’t one), and then rerun the scan until it passes.

SEE ALSO: 10 Qualities To Look For When Selecting an Approved Scanning Vendor

Here are some security tips with vulnerability scanning:

Run scans frequently
You should run vulnerability scans monthly or at least quarterly. Any less than that, and you risk having your business vulnerable to attackers.

Use the reports
Once the scan is done, a findings report is created. Use these reports to address the vulnerabilities found. Remember, a vulnerability scan is useless if you don’t use the information generated to fix potential security problems.

Why follow the Security Rule? 

When it comes to the Security Rule, no shortcuts should be taken. Make sure you address all the requirements in this rule; otherwise you won’t be HIPAA compliant, you may fail a potential audit, and worst of all, you’re putting your patient’s data at risk.
The HIPAA Privacy Rule protects your patients’ privacy, but the Security Rule protects your patients.
It’s not just about protecting your organization from fines and lawsuits. It’s about protecting your patients from data thieves and attackers.

Your patients trust you; live up to that trust and stay secure with the Security Rule!

download SecurityMetrics HIPAA Security Rule Report