How Can Your Organization Be HIPAA Compliant, But Isn’t Secure?
It feels like all you hear about is HIPAA. Compliance (or, lack thereof) is such a talking point in the healthcare industry that it’s quickly reached a critical mass.
One problem with this is that it’s diverted the very necessary conversation about cybersecurity in the healthcare sector. Despite what many assume, just because HIPAA involves cybersecurity stipulations (i.e. the Security Rule) that doesn’t mean compliance equals security.
The Security Limitations Of HIPAA Compliance
The core fault in HIPAA’s cybersecurity considerations is that they’re limited and outdated. After all, HIPAA was developed in the age of paper records – hard copy charts, backed up in triplicate, recorded in ballpoint pen.
That doesn’t really reflect the reality of the healthcare world today, does it?
The way you store and access health care information, the use of interconnected medical devices, etc. – it has all contributed to a higher quality of care, benefitting both the healthcare professional and the patient.
However, just as technology helps the healthcare industry through the convenience of data storage and access, it also presents serious cybersecurity risks.
To put it simply: the easier it is for you to access Protected Health Information (PHI), the easier it is for cybercriminals to do so as well. Don’t make the mistake of assuming that just because you’re not a major hospital or more active medical practice that you aren’t a potential victim – data is data. If you’re an easy target, cybercriminals will find you.
While HIPAA has undergone changes over the years to address the way the healthcare industry has evolved, many are skeptical that it’s failed to keep up.
“[…] we shouldn’t look to HIPAA to provide guidance [on cybersecurity],” said Apixio Chief Technology Officer John Schneider to Health IT Security. “Expecting regulations to fix data security problems is unrealistic.”
Detection Isn’t A Priority, But It Should Be
Much of HIPAA’s regulations are based around notification – that is, stipulating who you must notify, and how, in the event that your patients’ PHI is breached. It could be a matter of making a public announcement on your website, or reporting to the media, or issuing breach notification letters to Business Associates.
What isn’t much of a priority in HIPAA is detection. It doesn’t really regulate (or therefore, prioritize) detecting when a breach has occurred. This oversight is another remnant of the time when medical records were all on paper when it would be virtually impossible to find out if someone had breached medical data.
Today, the lack of detection protocols in place can lead to ongoing data exposure for long periods of time. Did you know it takes most businesses up to 6 months to find out that they’ve experienced a data breach? In fact, a DNA-testing service provider accidentally left their patient data exposed for years.
What’s The Best Way To Enhance Cybersecurity
The most direct way to improve cybersecurity at your healthcare organization is to move your data into the cloud. By migrating it out of an aging, local EHR solution to a modern cloud platform, you can access a range of new security features.
What should you look for in a secure and (HIPAA compliant) cloud solution?
- Data Backups
Having your data stored in the cloud can do wonders for your convenience and productivity, but you need to make sure you have a backup, just in case something happens.
If you’re going to let a cloud provider store your data in their cloud, then make sure they’re also backing it up. Make sure that they:
- Back up data on a regular basis (at least daily).
- Inspect your backups to verify that they maintain their integrity.
- Secure your backups and keep them independent from the networks and computers they are backing up.
In layman’s terms, encrypted data is formatted in a secret code that would be meaningless if intercepted. It is one of the most efficient ways to secure a database given that decryption can only occur through a key, which is essentially a “secret password”. In this case, there is a need for updated encryption software to ensure that private information is only accessible through the database program.
Encryption technology is a great way to protect important data. By making data unreadable to anyone who isn’t supposed to have access to it, you can secure files stored on your systems, servers, and mobile devices, as well as files sent via email or through file-sharing services.
When using the cloud, it’s important to make sure that your data is both encrypted while in transit, and at rest.
- Access Monitoring
In addition to encryption, the data you store in the cloud should be protected from unauthorized access:
A firewall is a particular type of solution that maintains the security of your network. It blocks unauthorized users from gaining access to your data. Firewalls are deployed via hardware, software, or a combination of the two.
- Intrusion Detection
Your cloud provider should also keep an eye on unauthorized attempts to access your data. Whether they’re successful or not, attempts at access can tell you more about how cybercriminals are trying to reach your data.
To fully benefit from the cloud, healthcare organizations should develop a strategy that complements their organizational goals – including cybersecurity. Cloud solutions for healthcare organizations will continue to provide new and improved patient care capabilities as more advances are accomplished.
Like this article? Check out the following blogs to learn more: