In our October 13, 2016 post “HIPAA and Network Security/Compliance: Why Should YOU care?” we glanced over the topic of compliance with the Health Insurance Portability and Accountability Act of 1996 – lovingly referred to by those in the healthcare business as HIPAA (pronounced HIP-uh) – and gave a brief overview of how it affects business owners in the healthcare field.

In a world ever-growing with ways to obtain other peoples’ information to be used for ill-gotten gains, it’s important to remember that compliance with HIPAA is not just the job of your boss, your coworker, or your compliance officer and/or team. Anyone who has worked in any facet of the healthcare field will have heard the phrase over and over again, ad infinitum, that HIPAA compliance is everyone’s job.

Since its signing into law on August 21, 1996 there have been some legislative updates that have altered the governance and regulatory requirements for HIPAA ’96. On February 20, 2003 the Department of Health and Human Services published the HIPAA security rule. While HIPAA itself outlines regulations for handling all Protected Health Information (PHI), the security narrowed protections specifically on ePHI or PHI transmitted or stored electronically. This is outlined in section 164.530: “appropriate administrative, technical, and physical safeguards to protect the privacy of protected health information”.

What kind of stored or transmitted PHI is regulated by the security rule?

  • Magnetic tapes
  • Optical discs
  • Hard drives (internal and external)
  • USB thumb drives
  • Smart phones
  • Storage area networks
  • Information sent between computer systems (internal and external)

Thankfully, the HIPAA security rule outlines all safeguards that can be put into place to protect you and your company as best as possible from a possible breach (Section 164.308). These include administrative, physical, and technical safeguards as well as organizational standards, policies, procedures and requirements for documentation. (For a full outline of these standards, go here).

I’m sure, at this point, you’re saying, “Great, but what does this mean for me and my role in the healthcare industry?” What this means, first and foremost, is that it is not only important to protect the health information of your patients, clients, or members, from a physical standpoint but it’s equally, if not more important, to protect their information in any sort of digital or electronic format. There are often severe monetary penalties as well as internal cost for any breach in PHI. According to a study done by IBM Security, a single breach in the healthcare industry is approximately $355 with a 26% chance of a breach occurring over a 2 year period. Government levied penalties for failing to comply with HIPAA regulations can range from $100 to $50,000 per violation with a limit of $1.5 million per year!

How do you prevent these kinds of infractions and respective penalties? We’ve already covered the types of record-keeping mediums that are protected as ePHI so now let’s cover some practical ways to keep this information out of the wrong hands.

The PHI Protection Network (PPN) held a conference in December of 2014 to discuss this very issue and developed a list of 10 ways you can protect patient information. Other things to consider are your everyday threats.

The above list of sources of ePHI include smartphones. As we all probably know, smartphones often do not come without a camera. In a world of social media where life is documented in pictures, videos, tweets, etc., the smartphone is a danger not only to PHI but to your employees as well. Most companies these days have a social media policy that outlines the use of social media in the workplace as well as posting about the workplace. A selfie taken near an unlocked computer displaying PHI and posted on Instagram is always a threat. However, even answering questions about your company via social media can pose a threat if used by an adept social engineer.

There are also hackers to consider. How do you determine the potential threat to your data? This is where your friendly neighborhood IT personnel come in handy; SecureWorks IS expert, Jon Ramsey suggests the following:

Sit your two best IT guys down for a while, and ask them how they’d break into your system, where they’d [attempt access], what they’d look for, and you’ll come up with a pretty good threat model pretty quickly.  Threat modeling means considering who is going to attack you, how, and what are the assets they’re going to go after.

In the end, it is important to try and stay ahead of the game. The healthcare industry, technology, as well as potential threats are ever-evolving. As a provider, business, or any other entity regulated by HIPAA it is your duty and business to stay ahead of the curve and protect as much of your data as possible. However, just like you can’t please all the people all the time, you can’t protect all your data all the time, so prioritization is another key in determining how you will maintain compliance. As former National Security Advisor McGeorge Bundy said, “If we guard our toothbrushes and diamonds with equal zeal, we will lose fewer toothbrushes and more diamonds.”

For more information on HIPAA not included isn’t his article see the following additional resources:


 

Tony Cody is the Founder and CEO of 12 Points Technologies, a digital forensics and cyber security company that helps protect businesses from online threats, recover from online incidents and provides services for those who need to recover critical information from digital devices.  Tony has over 20 years of IT experience with the U.S. military and private firms.  For more information, please visit www.12PointsInc.com.