June 19, 2023

This paid piece is sponsored by Eide Bailly LLP.

A version of this article first appeared on EideBailly.com.

By Eric Pulse, risk advisory principal, [email protected]

Today, health care organizations are prime targets for cyberattacks. Cybercriminals use everything from malware and ransomware to weak passwords and other tactics to gain access to confidential patient data. This can include names, birth dates, credit card numbers, phone numbers, employment histories and more.

Before the creation of the Health Insurance Portability and Accountability Act in 1996, no generally accepted set of security standards or requirements for protecting health information existed. But while health care organizations now are required to abide by HIPAA’s rules to safeguard health information from unauthorized access, simply complying may not be enough to protect against cyberattacks.

The HIPAA Security Rule

The HIPAA Security Rule is a mandate that health care entities must follow, and it is designed to safeguard ePHI, or electronic protected health information, while also allowing entities to continue adopting new technology to improve the quality and efficiency of patient care.

Because of the diversity of the health care industry, the Security Rule is flexible and scalable depending on the covered entity’s size, structure and risk level. However, in all cases, there are physical, technical and administrative safeguards that must be in place.

Physical safeguards are those that protect systems that store ePHI. Examples include:

• Facility access and control. Physical access to facilities must be limited while ensuring that authorized access is allowed.
• Workstation and device security. A covered entity must ensure proper use and access to workstations and electronic media and create procedures for transferring, removing and disposing of electronic media to protect ePHI.

Technical safeguards are policies and procedures protecting the use and accessibility of ePHI. Examples include:

• Access control. Only authorized individuals should be able to access ePHI.
• Audit control. Software must be in place to record and examine activity in systems that contain or utilize ePHI.
• Integrity control. There must be mechanisms to ensure that ePHI is not tampered with or altered in an unauthorized manner.
• Transmission security. Technical security measures should be in place to guard against unauthorized access to ePHI that is being transmitted over an electronic network.

Administrative safeguards are those that monitor the human element of risk. Examples include:

• Security personnel. A security official should be designated to develop and implement security policies and procedures.
• Information access management. A covered entity must implement policies and procedures for authorizing access to ePHI only when such access is appropriate based on the user or recipient’s role.
• Workforce training and management. A covered entity must provide appropriate authorization and supervision of workforce members who work with ePHI. All workforce members must be trained in security policies and procedures. There must be appropriate sanctions against members who violate policies and procedures.
• Assessment. A periodic assessment of security policies and procedures must take place.

Using HIPAA to create stronger cybersecurity practices

Health care organizations that are HIPAA compliant have met the minimum standards for security and health care data privacy as determined by the U.S. Department of Health and Human Services. However, simply being HIPAA-compliant does not mean a company is adequately protected against cyberattacks.

While HIPAA is a great starting point for understanding your security posture and risk management strategies, organizations must take additional steps to ensure comprehensive cybersecurity measures are in place.

Instead of focusing on security in a sporadic, disjointed way – seeking mostly to check compliance rules off a list and move on – health care organizations should take a holistic approach to cybersecurity. After all, the average cost of a data breach in health care reached an all-time high of $10.1 million in 2022.

How do you implement better, more comprehensive cybersecurity practices in your organization?

It starts with investing in prevention and awareness.

While software and safeguards are critical to protecting patient data, those tactics are only as effective as your staff is at implementing and managing them. It is equally – and possibly even more – important that your staff members acknowledge and understand the role they play in keeping patient data safe.

To better understand where your health care organization stands with HIPAA compliance and its overall security posture, start by conducting a security risk assessment, or SRA.

Ensuring compliance with the HIPAA security risk assessment 

To ensure the HIPAA Security Rule is being followed by health care entities, the HIPAA security risk assessment was created. The SRA is meant to:

• Ensure the confidentiality, integrity and availability of all ePHI created, received, maintained or transmitted by a covered entity.
• Protect against any reasonably anticipated threats or hazards to the security or integrity of such information.

In general, conducting an SRA helps your organization stay compliant with the administrative, physical and technical safeguards listed above. A risk assessment also helps reveal areas where your organization’s protected health information could be at risk, which can provide a great starting point for better cybersecurity measures overall.

There are several methods of performing a risk analysis, and there is no single best practice that guarantees compliance with the Security Rule. However, regardless of how the SRA is performed, the assessment should include these steps:

• Gather information.

The first step is to identify where your organization’s ePHI is stored, received, maintained and transmitted. This may involve communicating with individuals responsible for certain systems and processes –HIPAA compliance officers, IT, HR, etc. — reviewing documentation or using other data-gathering techniques. The data on ePHI gathered using these methods must be documented.

• Analyze threats, security measures and gaps.

After gathering the necessary information, it is time to essentially perform the assessment part of the process. This is where your organization will identify possible threats to ePHI, analyze the current security measures in place and determine if there are gaps in your compliance. At this time, the SRA also should document the likelihood of any threat occurrences and the impact those threats could have on the security of patient data.

• Create a plan for remediation.

When security gaps are discovered, you need to identify remediation items or tasks that must be accomplished to address the gaps. By identifying these areas, creating a remediation plan to address the gaps and then following through on that plan, you are considered HIPAA compliant.

• Consistently review and update your security practices.

HIPAA compliance is a bit of a moving target, and your organization may not be perfectly HIPAA compliant 100 percent of the time. That is why consistent monitoring and assessment is important.

While it is encouraged to perform an SRA at least once a year, a truly integrated risk analysis and management process is performed as new technologies and business operations are implemented. For example, if your organization has experienced a security incident, change in ownership, turnover in key staff or is planning to incorporate new technology to make operations more efficient, the potential risks should be analyzed to ensure ePHI is reasonably and appropriately protected.

Making compliance an organizational priority

As a health care entity, it is your responsibility to ensure that patient data is safe, secure and protected against potential threats. Should you fail to comply with HIPAA’s Security Rule, you can face hefty fines, loss of employment, suspension of your medical license or even jail time.

Seek professional assistance in conducting your SRA. Not only will this alleviate stress but also it will also ensure a more comprehensive analysis of your organization’s cybersecurity measures. Consulting with experienced advisers can help bring awareness to SRA compliance risks and assist your organization in creating a clear path forward.