November 12, 2015

Posted in:

A Proactive Approach to Cybersecurity in Healthcare: Going Beyond HIPAA Compliance

Going Beyond HIPAA Compliance

This year the Department of Health and Human Services released some alarming statistics on the pervasiveness of security breaches in the healthcare industry: information from nearly 120 million people has been compromised in 1,100 different breaches at healthcare websites since 2009. Despite the presence of HIPAA standards and widespread understanding of the need to protect electronic health information, organizations are still leaving small holes in their cyber security plans – holes which can be exploited by hackers and used to illicitly transmit the private records of thousands (if not millions) of people.

While these statistics may not come as a surprise to some IT professionals, they offer a reminder to organizations and website administrators in the healthcare industry to continually evaluate their cybersecurity plans. Although adhering to HIPAA guidelines is a legal requirement, it is also important to look beyond HIPAA in order to proactively safeguard your sensitive healthcare data in an age of persistent cyber security threats.

The ABC’s of HIPAA Compliance

Any discussions involving the security of healthcare websites invariably involves the Health Insurance Portability and Accountability Act (HIPAA). HIPAA was enacted in 1996 to establish national standards for protecting the privacy and security of certain health information. Any company or Covered Entity (CE) that engages with electronic protected health information (ePHI) must comply with HIPAA’s physical, network, and process security measures. As a healthcare business, it is important to be knowledgeable about each of the components of the HIPAA privacy and security guidelines.

The specific HIPAA requirements can be broken down into the following:

  1. Transport Encryption: Anytime ePHI is transmitted it must be encrypted. This means that any page built to collect and/or display ePHI must be protected via SSL/TLS (i.e. it is accessed through https://)
  2. Authorization: Ensure that only authorized personnel using specific, audited access measures can access ePHI on the website. This usually includes hosting providers who should be HIPAA compliant and sign a Business Associate Agreement (see next section)
  3. Backup: Implementing effective backup measures in order to restore and recover protected health information in an emergency or in the case of accidental deletion.
  4. Storage Encryption: . Encrypting data “at rest” or in storage is required to be addressed under HIPAA controls. This means that doing so is required, but how your company goes about doing it is up to defined internal processes. Storage encryption is particularly important if data may be stored in locations out of the CEs control.
  5. Integrity: Assures the accuracy and consistency of the data being presented and that the data has not been maliciously or accidentally altered.
  6. Disposal: Ensuring that data can be permanently destroyed when necessary. This includes every location where the data could be archived or backed up.

Although these are some of the key components of HIPAA compliance, this is by no means an exhaustive list (more information can be found at the U.S. Department of Health and Human Services website).

It is also important to note that these requirements extend to Business Associates (BAs) who come in contact with ePHI while providing support or ancillary services to CEs. Consequently, selecting the right hosting company is also a key concern for any healthcare website as hosting companies are often entrusted with managing and storing health data. As a Covered Entity under HIPAA, it is your responsibility to ensure that your hosting provider is meeting (or even better, exceeding) HIPAA requirements.

HIPAA Compliant Hosting: Asking the Right Questions

Ensuring HIPAA compliance in a hosting environment requires a comprehensive understanding of each of the HIPAA guidelines and how they are manifested in the storage, transmission, and use of ePHI. Consequently, many healthcare companies select managed hosting services specifically calibrated to addressing HIPAA guidelines rather than taking on all that responsibility themselves.

Some important hosting considerations are:

  • How secure are the data centers? Are they located in low-risk environments? Do they have an adequate facility security plan?
  • What security is in place for data passing to and from the cloud? How comprehensive is the firewall?
  • Is there an effective system in place for destroying ePHI if necessary?

These questions serve as an initial litmus test to gauge the level of knowledge your potential hosting company has in terms of HIPAA requirements. In addition, asking the right questions in the beginning will ensure that both you and the host are on the same page when it comes to implementing an effective security plan for your website and thus proactively tackle any potential problems early on.

However, as the recent spate of data breaches show, adhering to the bare minimum in HIPAA compliance is not enough. The best HIPAA-compliant service providers truly specialize in healthcare hosting and proactively work towards exceeding HIPAA requirements so that cybersecurity plans are constantly re-evaluated and potential issues are identified early on.

What does that look like?

The Future of Healthcare Cybersecurity: Looking Beyond HIPAA

Although healthcare requirements are updated with reasonable frequency (i.e. the introduction of HITECH in 2009), they can never fully account for the latest threats in cyber security. Even if you’re website is in strict compliance with HIPAA now, new technology could be introduced that changes your network and subsequently creates a new vulnerability.

That’s why the best HIPAA-compliant hosting companies actually build proactive security measures into their hosting solutions. Securing sensitive data in healthcare requires a holistic risk management approach that is multi-layered and adaptable in a variety of contexts. Such an approach necessitates multiple tiers of security from physical security at data centers to dedicated firewalls and anti-virus systems. In addition, being proactive to cyber security means the deployment of 24/7 operations and security teams that are constantly monitoring the online infrastructure and reviewing vulnerability scans.

As recent history has shown, adhering to the bare minimum in HIPAA guidelines is rarely enough to safeguard your healthcare website from the latest cyber security threats. As the operator of a health care website, it is important for you to not only consider how to maintain HIPAA compliance but how you can implement a multi-layered, proactive cybersecurity plan that goes beyond the minimum in regulations. Selecting a managed hosting company that truly understands HIPAA compliance and how to proactively deal with potential security threats is crucial if you seek to maintain the security of your data both now and into the future.

Go back