Healthcare Cybersecurity Beyond HIPAA
The Health Insurance Portability and Accountability Act (HIPAA) enacted in 1996, created industry standards for how protected health information (PHI) is handled. However, when the law was created, it didn’t account for the modern technological era. With the vast amounts of information collected in the healthcare space, healthcare cybersecurity is of the utmost importance. The increase in ransomware attacks, especially in the healthcare industry, highlights the need for organizations to look beyond HIPAA requirements to ensure the security of their patient data.
John Schneider, Chief Technology Officer at Apixio, stated that the problem with HIPAA is that its main function was for data privacy, not data security, “At the time, we rightfully worried that people might be discriminated against based on health, for example, in the job market. HIPAA had very little to say about technology.” When HIPAA was enacted, there was very limited technology available so cybersecurity wasn’t a concern.
However, over the past few years ransomware attacks have increased exponentially. A ransomware attack occurs when a hacker enters a network and steals or corrupts files, demanding a sum of money for their return. Organizations that opt not to pay hackers often permanently lose their data.
Schneider believes that legislation will do little to remedy the issue as, “Just as we didn’t know what today’s digital ecosystem would look like 20 years ago, we can’t predict what legislation we might need to protect against in the future because technology is progressing orders of magnitude faster.” Instead, healthcare organizations need to take their cybersecurity into their own hands. Organizations that don’t have a dedicated IT staff should look for experts with SOC2 or HITRUST certifications to handle their healthcare cybersecurity.
Does HIPAA Help Detect Healthcare Cybersecurity Issues?
Healthcare cybersecurity breaches can be difficult to detect, sometimes taking a few months or even a few years to detect the threat. The best way to prevent and detect cybersecurity threats is to have organization-wide cybersecurity practices and an incident response team so that breaches can be handled quickly.
According to Schneider, “Today, we have many digital tools at our disposal to detect breaches, so we can detect more of them more quickly, but without robust response protocols, providers won’t be able to manage breaches effectively. More regulation cannot solve this problem. If we were to rely on more regulations or larger punitive measures to safeguard patient data, it will only hinder IT improvements and digital healthcare developments.”
HIPAA standards are no longer sufficient when it comes to data secuirty. Although they mandate that organizations that experience a large-scale breach must report the incident within 60 days of discovery, if the breach is not detected quickly the damage is already done. The more quickly a breach is detected, the less cost an organization will incur as a result of the breach. Therefore organizations that have robust healthcare cybersecurity practices are in a better position to handle a breach should one occur.
Implementing Healthcare Cybersecurity Practices
Using a cloud service to hold data can be beneficial to bolstering healthcare cybersecurity. Cloud services give organizations access to security tools as well as data backup services. However, to be HIPAA compliant, organizations using a cloud provider must have a signed business associate agreement (BAA) before they can use the service to store their data. A BAA mandates that both organizations are HIPAA compliant and they are each responsible for their own compliance. This way if the cloud provider were to experience a data breach they would be the one held responsbile for the incident.
HIPAA May Be Lacking But It’s Still Mandated
Although HIPAA law may be lacking in regulations surrounding current cybersecurity threats, adhering to the law is mandated. Adhering to HIPAA standards will put an organization in a better position to secure the PHI they are working with. Nevertheless, organizations should look beyond HIPAA cybersecurity requirements and implement more thorough cybersecurity practices that will protect the sensitive data they are working with.
Many breaches of late are vendor-related breaches, as such Schneider recommends that, “Providers should require that their business associates obtain certifications like SOC2 or HITRUST if they don’t already have them, and ensure those certifications remain current.” Ensuring that business associates properly manage their security will mitigate the risk of an organization experiencing a breach as a result of business associate mismanagement. Properly vetting vendors can save organizations the headache of dealing with a data breach.
Do You Need Assistance with Healthcare Cybersecurity?
Compliancy Group gives healthcare providers and vendors working in healthcare the tools to confidently address their HIPAA compliance in a simplified manner. Our cloud-based HIPAA compliance software, the GuardTM, gives healthcare professionals everything they need to demonstrate their “good faith effort” towards HIPAA compliance.
To address HIPAA cybersecurity requirements, Compliancy Group works with IT and Managed Service Provider (MSP) security partners from across the country, who can be contracted to handle your HIPAA cybersecurity protection.