The Health Insurance Portability & Accountability Act (HIPAA) was instituted in 1996, just as medical information was making the transition to the digital storage medium. Originally intended merely to administrate better coverage for digital transactions in the healthcare, in recent years it has also taken on a goal within the realm of security.
It does so by ensuring medical data is given the protection that it deserves and, if not, that violators are fined for failing to protect both the security and integrity of the sensitive healthcare information to which they have been trusted.
With the recent announcement of Anthem's $16 million fine to settle HIPAA violations from a 2015 data breach, organizations cannot be too careful.
Due to the implications of a data breach, it is in the best interests of all healthcare organizations to ensure HIPAA compliance software is used, and HIPAA audit recommendation advice is followed to ensure HIPAA privacy rules are observed and maintained. Following these steps are a part of ensuring "integrity."
What Is Integrity?
HIPAA Security Rule § 164.304 defines integrity controls as "the property that data or information have not been altered or destroyed in an unauthorized manner." This also is applicable to electronic personal health information (ePHI), as ePHI is to not be modified in a technical or non-technical way.
In simplest terms, and at its core, integrity monitoring detects changes to your critical systems, identifies, and remediates internal threats, all while documenting changes within the IT infrastructure.
Specific insights into recommended safeguards are not listed by HIPAA. Many organizations in healthcare have chosen to follow the National Institute of Standards and Technology (NIST) framework as a guideline for integrity and security controls.
Within NIST, key activities addressed include:
- Development of Integrity Policy and Requirements
- Identify Possible Unauthorized Sources that can Intercept/Modify Information
- Identify Users Authorized to Access ePHI
- Implement Mechanisms to Authenticate ePHI
- Establish Monitoring Process for Constant Assessment
- Comply with the Security Rule with regard to electronic PHI;
- Report breaches of unsecured PHI to covered entities;
- Comply with the requirements of the Privacy Rule applies to covered entities when carrying out their obligations; and
- Ensure that any subcontractors that create or receive PHI on behalf of the business associate agree to the same restrictions and conditions that apply to the business associate.
An Industry in Motion
As with any industry, keeping up with the latest technological trends and app usage is deemed necessary in a demanding, consumer-driven, competitive environment. But are ease of use and consumer demands worth the risk involved with PHI?
With more than 300,000 health-related mobile apps available for use in the healthcare space, the instance of a data incident is more than likely to occur without the proper security and compliance measures in place.
- The updated Health Information Trust (HITRUST) Alliance combined regulations and standards into a specific framework, reducing the vagueness HIPAA guidelines appear to follow.
- Organized Health Care Arrangements (OHCA) are utilized by many organizations, as data is routinely shared through organizations.
With more organizations transitioning security controls to the cloud, concerns of whether the data "is secure or not" is top-of-mind. However, as Omar Khawaja recently stated in a HealthTech interview,
"Security controls should have nothing to do with where the data is, in the cloud or a data center... We should protect the data with the same set of controls regardless of where that data happens to sit, inside or beyond our four walls."
The risk of loss isn't just a loss. A data breach violating HIPAA privacy and security practices is incredibly costly for today’s healthcare groups and organizations. They can wound—sometimes fatally—a healthcare organization in two ways. The first and most obvious is that if HIPAA conducts an investigation, and it finds that its policies and procedures were not observed, thus allowing the breach to happen, stiff fines are going to be applied to the negligent company.
The Department of Health and Human Services (HHS) can fine organizations up to $1.5 million per violation annually, and additional costs associated with a breach or data incident are not always included in the "total costs of a breach".
Far more severe consequences can include the massive cost of recovery, as well as the loss of business once news of the breach is released as patients and other entities/business associates learn information has been compromised.
What This Means to Healthcare
In addition to the public relations headache a data breach can cause, there are also real consequences for healthcare companies and their clients, patients, and even partners. Ransomware, for example, is extremely serious, as many times the healthcare organization is denied access to all PHI, and this data is held hostage unless a ransom is paid to release the data back to the owners.
If the ransom is ignored, the information is either destroyed or may be sold for identity theft purposes. As noted by Lexology, the Anthem settlement highlights that preventative strategies and safeguards must be implemented to minimize the risk of cyberattacks, in addition to appropriate policies and procedures for responding to data breaches promptly and effectively.
Through identity theft, the details of a patient, such as social security numbers, bank accounts, or credit card numbers, can be used to either seize control of bank accounts or utilize current credit cards until they are maximized. The results of this kind of theft can inflict irreparable harm on both the victims and the company breached.
In a recent summary by Manatt, Phelps & Phillips LLP, best practices to mitigate risk are discussed along with a 5-Step Holistic Approach to data breach preparation.
A 5-Step, Holistic Approach for Databreach Preparation
- Implementing a robust backup process, including testing a disaster recovery plan. Organizations need the ability to do version control on files, systems, and applications. Ensure the organization’s solution has the ability to recover every single file, as well as handle a high number of changes, generate logs and centralize the logs for faster and more accurate monitoring.
- If infected with malware or ransomware, rebuild the systems to ensure all files associated with the malware are completely removed. Implement file integrity monitoring(FIM) to detect known and malicious files while monitoring critical system files and directories.
- Put a solid incident response plan in place. Have a communication protocol, as well as the ability to detect problems quickly, isolate issues and perform malware sandboxing to analyze the malware and understand what it’s doing to the network.
- Make sure the organization has cyber insurance—and a broker who understands not just available coverage but the evolving nature of risk. It is critical to have the right kind of insurance to protect an organization completely because atypical incidents can be very costly—and may require different types of policies to be fully covered.
- Consider whether paying the ransom is the right move. Many issues should go into this decision, including how critical the impacted systems are to the organization and its customers, how confident the organization is that it can recover quickly, how widespread the infection is and what risks are involved in downtime.
For all of these reasons and more, HIPAA compliance and integrity is not an inconvenience, but it is an absolute necessity in ensuring that protected health information is secure.
To learn more about HIPAA compliance, download our HIPAA solution brief today.
November 14, 2018