What do these situations have in common?
- April 2017: Augusta University Medical Center reported that it had become a victim of phishing for the second time within a twelve-month period.
- From December 2016 through early 2017, a trio of cybercrime rings took over 26,000 open MongoDB servers and demanded ransom.
- July 2017: A successful intrusion of Medical Oncology Hematology Consultants was detected, a breach which compromised 19,203 patient records.
- June 2017: Ransomware brought down Pacific Alliance Medical Center. Two months later, the firm said the attack impacted 266,123 patients.
Since these data breaches are more common and costly than many would like to think, this post will go over some HIPAA fundamentals and review security best practices for protecting HIPAA-compliant data. Here are a few tips and best practices your organization can integrate into your environment to help secure protected health information (PHI) that is under your watch:
1. Encrypt everything.Encryption is critical. A study published in Perspectives in Health Information Management in 2014 examined all HIPAA breaches on file with the HHS Department. At the time of the report (which used all events through September 22, 2013), 27 million records had been compromised via successful attacks of 674 covered entities and 153 business associates. These breaches included intrusions related to hacking, improper disposal, loss, theft, and unauthorized access. They occurred in various digital environments—devices and back end systems—as well as physical documents.
The study provided data about types of breaches, and it reveals how rampant data theft is. Here are the top five types of breach in descending order of volume, with the number of individuals, covered entities, and business associates affected in each case—numbers that in the last few years have grown even more:
- Theft: 12,785,150 people (via 344 CEs and 52 BAs)
- Loss: 7,359,407 people (via 74 CEs and 23 BAs)
- Hacking or IT event: 1,901,111 people (via 59 CEs and 20 BAs)
- Unauthorized access: 1,334,118 people (via 136 CEs and 44 BAs)
- Improper disposal: 649,294 people (via 32 CEs and 5 BAs)
A major concern with “data breach by theft” isn’t the theft itself. In each of those cases, unencrypted information was left on the devices. Encrypting information means that even if bad actors steal digital information, encryption makes that information unusable. When encrypted correctly, ePHI may not fall under the Breach Notification rule, even when the system storing it is physically stolen.
2. Assess your risk.Conduct a complete risk assessment of all the elements of your ecosystem that store, process, or transfer electronic PHI (ePHI). Make sure to evaluate the ways in which your information could be exposed. If your environment includes a data center, you should ask these questions:
- Are natural disasters common in the location of the data center?
- Is there a responsible party associated with all hardware components?
- Have you assessed the security mechanisms that are now in place and any risks that are present?
- Have you taken into account all ways in which ePHI is accessed or manipulated within your system? (Consider the creation, receipt, maintenance, and transfer of ePHI).
3. Training is fundamental.You must properly train your staff, especially since the cybersecurity threat landscape is evolving, and comes with an increasingly sophisticated toolset for accessing your data. Phishing campaigns were created to elicit simple yet devastating mistakes from employees. If a staff member clicks on a link or submits data—like a username or a social security number—they essentially hand over the keys to your organization’s data environment. It’s scary but true that something as simple as a fake email could create a point of entry for attackers to exploit.
Keep in mind that no matter how extensive your training program is, people make mistakes. Back up your training program with technical security controls that prevent employees from installing malware or visiting spoofed websites.
4. Be vigilant and ready to act.Although not fun to think about, it's critical to be prepared for the possibility of a breach. You need a planned response that is easy to execute, but thoroughly designed. The Office for Civil Rights’ checklist lists the steps of a proper response after a breach of HIPAA-protected material:
- Carry out your response and mitigation steps.
- Stop the attack and contain the threat to privacy and security.
- Report the incident to law enforcement.
- Submit the relevant cyber threat indicators to federal and information sharing and analysis organizations (ISAOs).
- Notify the Office for Civil Rights quickly, within 60 days following the detection of a breach that compromised at least 500 people.
5. Read business associate agreements and find partnerships you trust.covered entity or business associate, you need to be certain that any vendor relationships related to PHI or ePHI are designed to protect the data as defined within HIPAA. Whenever you look at a new potential agreement, it’s important to check that the outside entity regularly scans its system for security risks. You also want to know that their staff has been properly trained, and that they have designated security and privacy officers.
While a business associate agreement is necessary from a legal standpoint, it won't protect you at a technological level. To make sure the systems themselves are properly secured and controlled, look to see if the provider has been validated for HIPAA compliance by a qualified, third-party assessor.
Do you need to secure your HIPAA data systems? It may help to put things into perspective to look at the experience of a single organization. See how Complete HealthCare Solutions followed the above best practices to secure their PHI and ePHI.
Author Bio: Adnan Raja has been the Vice President of Marketing at atlantic.net for 14 years. During Raja’s tenure, the Orlando-based, privately held hosting company has grown from having a primarily regional presence to garnering and developing attention nationwide and internationally. In collaboration with a skilled and dedicated team, Raja has successfully led a full spectrum of marketing campaigns, as well as handling PR work with major news outlets and the formation of key strategic alliances.