Covered entities (health plans, healthcare clearinghouses, and healthcare providers who electronically transmit any health information in connection with a HIPAA related transaction) and business associates must comply with the HIPAA Security Rule. They must do so by developing security safeguards that protect the confidentiality, integrity, and availability of electronic protected health information (ePHI). ePHI is any protected health information that is created, stored, transmitted, or received in any electronic format. Part of an organization’s HIPAA cybersecurity obligations under the Security Rule is to develop safeguards protecting your ePHI from common, well-known threats.
One such prevalent threat is called a “zero day exploit.”
What is a Zero Day Exploit?
A zero day exploit is a dangerous cybersecurity threat. This threat to cybersecurity works by taking advantage of a previously unknown hardware, firmware (software, such as BIOS, that controls a device’s specific hardware), or software vulnerability. Hackers may discover zero day exploits through their own research or probing. Hackers may also take advantage of the time lag between when an exploit is discovered, and when the relevant patch or anti-virus update becomes publicly available.
What HIPAA Cybersecurity Measures Guard Against Zero Day Exploits?
You can proactively implement a number of Security Rule measures to prevent or mitigate the damage a zero day attack may cause. The Security Rule requires that such measures be designed to prevent, detect, and respond to cyberattacks, including zero day attacks. Specific required measures include:
- Conducting a risk analysis to identify risks and vulnerabilities
- Implementing a risk management process to mitigate identified risks and vulnerabilities
- Regularly reviewing audit and system activity logs to identify abnormal or suspicious activity
- Implementing access controls to limit access to ePHI
- Encrypting ePHI, as appropriate, for data-at-rest and data-in-motion
- Implementing procedures to identify and respond to security incidents
- Establishing and periodically testing contingency plans to ensure data is backed up and recoverable
- Contingency plans include data backup plans and data recovery plans
Your organization should also routinely provide HIPAA cybersecurity training, and should document when training was given and who attended the cyber training.
Your security awareness and training program should also include periodic security reminders, education, and awareness of implemented procedures concerning malicious software protection. The awareness and training program should be provided for all members of your workforce.
