It has grown more challenging to protect patient privacy and secure sensitive data under HIPAA (Health Insurance Portability and Accountability Act) as the volume and persistence of cyber attacks have increased in recent years. Healthcare institutions often have vast databases of sensitive information such as credentials and credit card data that cyber criminals seek to monetize and sell on the dark web. Threat actors use advanced threats like zero-day attacks to target healthcare organizations, using ransomware like WannaCry and EternalBlue to spread and infect other systems.
HIPAA outlines requirements for healthcare organizations and their supply chain partners to follow in areas such as risk management, security incident handling and investigation, log monitoring, encryption, and security awareness training. These ever-increasing HIPAA mandates create an opportunity for Managed Security Service Providers (MSSPs) to assist Covered Entities (CE) such as healthcare providers, health plans, and healthcare clearinghouses as a trusted advisor and IT and security expert.
Crucial HIPAA Compliance Considerations
The 700,000 + healthcare organizations in the United States face a myriad of compliance and security mandates that represent a sizable opportunity for Managed Service Providers (MSPs) looking to evolve into MSSPs. It is crucial for MSSPs to understand the following compliance facts and security criteria if they plan to, or already support, healthcare organizations that are covered by the privacy and cybersecurity aspects of HIPAA:
- Understand the definition of PHI.
Penalties are assessed for leaks of Protected Health Information (PHI). PHI/ePHI includes any information that identifies an individual and relates to at least one of the following:
- The individual’s past, present, or future physical or mental health
- The provision of healthcare to the individual
- The past, present, and future payment for healthcare
Disclosure of PHI/ePHI due to careless mistakes or willful neglect are violations of HIPAA compliance regulations.
2. Business associates must safeguard PHI data.
It’s not only the healthcare entity that is responsible for safeguarding PHI/ePHI. Organizations in the healthcare ecosystem such as attorneys, data service providers, billing agents, and MSPs/MSSPs are also responsible for maintaining healthcare privacy and security. These healthcare supply chain partners may require access to confidential healthcare information.
A Business Associate Agreement (BAA) is a written contract that specifies each party’s responsibilities for protecting healthcare data. Business Associates (BA) can also be fined in the event of a data breach, whether caused by intentional or inadvertent actions. A HIPAA best practice for business associates is to limit access to PHI data only to those with a specific “need to know” to reduce the attack surface and propagation of sensitive healthcare and patient information.
3. A SIEM can simplify HIPAA compliance.
HIPAA compliance need not be difficult and time-consuming. System logs provide evidence of anomalous events but are co-mingled with millions of other routing audit logs. A Security Information and Event Management (SIEM) solution centralizes collection, real-time analysis, and storage of logs that can detect and pinpoint advanced threats. MSSPs can add SIEM software or even SIEM-as-a-Service to their portfolios to enhance compliance reporting and better prepare clients for an audit.
Continuum Fortify for Network Security is a world-class SIEM that includes pre-defined reports for compliance frameworks such as HIPAA and PCI DSS. The absence of SIEM technology has been regularly shown as a glaring weakness in data breaches post-mortem.
4. Insider threats constitute a big risk.
Healthcare is the only industry where insider threats outnumber external threats, according to the Verizon Data Breach Investigations Report 2019. An insider threat is an organizational risk that flows from employees, former employees, contractors, and supply chain partners. Because insiders often have access to sensitive data, have direct knowledge about computer systems, and know where security gaps exist, these insider threats are considered some of the most challenging to detect and mitigate. A SIEM solution that includes User and Entity Behavior Analytics (UEBA) enables anomalous behavior detection against insider threats.
5. HIPAA compliance requires people, processes and technology.
The first step in HIPAA compliance is to understand an organization’s unique risks and how these risks can be exploited, as well as mitigated. A holistic approach is needed to assess the threats specific to the healthcare industry. In addition to security technology, human expertise and processes are crucial to monitor network systems and create actionable information regarding routine events and suspicious activities worthy of further investigation.
6. The cost of non-compliance can be sizable.
In 2018, the Office for Civil Rights (OCR) within the US Department of Health and Human Services (HHS) issued 11 penalties for HIPPA non-compliance totaling over $23 million. They assessed fines for both data breaches as well as the lack of required BAAs. The average fine totaled $500,000, which is a vast sum to a small and medium-sized healthcare providers or associated businesses. In addition to the financial penalties, other impacts include lost internal productivity, negative publicity, and a decrease in patient loyalty. The OCR is using these penalties to send a message to the entire healthcare community that healthcare data and privacy gaps are typically preventable.
7. Compliance is the starting point.
Although HIPAA compliance can be complicated and necessitate time and planning to implement the framework, it should just be a starting point for most organizations. Just as threat actors are evolving, cybersecurity and data privacy practices must continue to adapt and evolve. Modern threats require modern threat mitigation technology and practices. MSSPs must stay informed and educated about healthcare compliance and enhancement mandates over time.
Accelerate HIPAA Compliance
Expand your revenue and profit margins by focusing on HIPAA compliance opportunities with an educated understanding of the requirements involved for business associates. SIEM is a path to improve security, compliance, and bottom-line financial results all at the same time. Add HIPAA to your portfolio with Continuum Fortify for Network Security to grow and monetize your expertise.
By Lily Teplow
By Brian Downey
By Dave LeClair