The risks of being found non-compliant with HIPAA guidelines are among the most pressing issues for healthcare IT professionals. In the event of a data breach, HIPAA fines can exceed $1.5 million. To compound matters, the Department of Health and Human Services Office for Civil Rights (OCR) has recently begun the second phase of random HIPAA audits, involving written requests and on-site visits. That means now is the time for organizations to comply with all HIPAA requirements.
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) includes five categories of technical safeguards, which include authentication, documentation, intrusion protection, and data integrity protection. While HIPAA guidelines are not specific on the types of technical safeguards needed to achieve compliance, NIST Special Publication 800-66 provides more insight. If you're unsure of the role file integrity monitoring plays in HIPAA integrity controls, join us for clarification.
What are HIPAA Integrity Controls?
The Department of Health & Human Services (HHS) defines integrity controls in Security Rule, at § 164.304 as "the property that data or information have not been altered or destroyed in an unauthorized manner." This requires that electronic personal health information (ePHI) is not modified in any technical or non-technical way.
This rule includes just one checklist item:
- “Implement electronic mechanisms to corroborate that electronically protected health information has not been altered or destroyed in an unauthorized manner."
Don't have time to read this whole post? Our guide, Meeting HIPAA Requirements with CimTrak, might be a valuable link for you to bookmark and read later.
What Does NIST Say About HIPAA Integrity Controls?
While HIPAA does not provide any specific insight on recommended safeguards against alteration or disposal of protected information, NIST offers more insight by addressing six key activities.
1. Identify All Users Who Have Been Authorized to Access EPHI
This activity should involve the implementation of a formal access control program and active governance. However, "identification" isn't limited to just unique user identifications and strong passcodes. It should also involve audit trails to definitively connect user accounts to activities.
2. Identify Any Possible Unauthorized Sources that May Be Able to Intercept the Information and Modify It
Your security program should include regular testing and analysis of risks, as well as the implementation of safeguards to prevent unauthorized access.
3. Develop the Integrity Policy and Requirements
Based on your access governance and risk assessment, your organization should maintain a set of guidelines on protecting the integrity of ePHI.
4. Implement Procedures to Address These Requirements
Your policy should be translated into action by identifying the right tools and activities for integrity.
5. Implement a Mechanism to Authenticate ePHI
NIST recommends the implementation of "electronic mechanisms" to corroborate the integrity of your protected data.
6. Establish a Monitoring Process To Assess How the Implemented Process Is Working
Using a manual and technical review, organizations should continually assess the efficacy of their integrity protections.
How Does File Integrity Monitoring Support HIPAA Integrity?
Not all file integrity monitoring solutions are equivalent. Before implementation, IT professionals should assess the features of a solution against their requirements to comply with HIPAA integrity controls, using the factors below.
To learn more about how different types of file integrity monitoring can impact both outcomes and security, we recommend Is Open Source File Integrity Monitoring Too Risky?
1. It Can Protect Audit Trails
Not only are secure audit trails an important component of HIPAA compliance, but they're also a crucial factor in information security. The 2016 Verizon Data Breach Investigation Report found that 77% of incidents involved an insider.
Your organization should have access to complete and accurate audit trails which connect all actions taken on your network with a user ID and other important metadata. It should be impossible for any users, including IT administrators, to "turn off" or modify audit trails in any way.
Select file integrity monitoring solutions include unalterable audit trails to simplify the identification of all users with access to data.
2. It Identifies Unauthorized Changes
Regardless of whether unauthorized activity originates from an internal user or third party, your organization needs the intelligence to identify the change. Some file integrity monitoring solutions offer built-in intelligence on the quality of changes. This enables security teams to distinguish between authorized and unauthorized changes and immediately restore the integrity of compromised data.
3. It Identifies Unauthorized Access
Many cybercriminals work incredibly fast. File integrity monitoring allows organizations to detect unauthorized access, changes, and files to maintain network security.
4. It Corroborates the Authenticity of Data
After gaining entry to a network, it is common for cybercriminals to immediately begin modifying critical files in order to prevent detection. By notifying administrative users of negative changes, it's possible to understand integrity risks the minute they begin.
5. It Can Provide Continual Monitoring
The frequency of monitoring for integrity isn't specified in either NIST or HIPAA guidelines. However, real-time monitoring can be crucial. Data loss and theft can occur in a matter of minutes. Selecting a file integrity monitoring solution that works in real-time, as opposed to a weekly or periodic basis, provides security and compliance advantages.
Building a Systemic Approach to Integrity
Achieving HIPAA compliance is complex, but maintaining it is often even more challenging for healthcare organizations. The right file integrity monitoring solution can enable your organization to achieve many of the key activities recommended by NIST. Click here to learn more about how CimTrak is uniquely well-equipped to support HIPAA compliance.
August 16, 2016