Cybersecurity has been an ongoing concern across the healthcare industry. Cyberattacks are not only negatively affecting businesses in healthcare, but also the privacy and security of patients’ data. Unfortunately, basic security tools are no longer making the cut. Now, healthcare organizations must turn to a new advanced solutions for the protection they need from increasingly advanced and more prevalent means of cyberattack.
Organizations are not only finding themselves at risk for major cyberattacks, but are also facing financial and criminal penalties under HIPAA regulation when they do not have the appropriate tools in place. A recent example of this was seen with the major health insurance provider, Anthem.
Anthem holds the all-time record for the largest U.S. data breach in history, as well as the highest HIPAA fine since enforcement began. Anthem was fined $16 million to the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) for HIPAA violations that resulted in the massive data breach. And that’s not all. Anthem also settled a class-action lawsuit in 2018 for $115 million after its 2015 data breach affected approximately 79 million people. HIPAA fines are only the beginning, especially with the growing trend of civil monetary settlements and state Attorney General fines for data breaches.
HIPAA Security Guidelines
While tools like antivirus and antimalware are important basics when it comes to security standards, they are not the most effective security solution when it comes to protecting patients’ health information.
The HIPAA Security Rule outlines the necessary standards that covered entities and business associates must have in place to protect the confidentiality, integrity, and availability of protected health information (PHI). PHI is any demographic information that can be used to identify a patient. Common examples of PHI include a patient’s name, address, phone number, email, Social Security number, insurance ID number, and medical records, to name a few.
HIPAA guidelines for implementing the security standards mentioned above must address three key safeguards identified in the regulation. These HIPAA security standards include:
- Physical Safeguards: these are the safeguards that a business puts in place to protect the physical security of their offices where PHI or ePHI may be stored or maintained. Common examples of physical safeguards include alarm systems, security systems, and locking areas where PHI or ePHI is maintained.
- Technical Safeguards: these are the safeguards that must be put in place to protect ePHI from the threat of cyberattacks. Examples of technical safeguards include firewalls, data encryption, and data back-up.
- Administrative Safeguards: these are safeguards that must be implemented in order to ensure that staff members are properly trained to execute the security measures you have in place. Administrative safeguards should include policies and procedures that document the security safeguards you have in place, as well as employee training on those policies and procedures to ensure that they are being properly executed.
Advanced Security Services
It’s important to note that HIPAA regulation does not specify specific types or levels of security solutions that must be implemented. Rather, HIPAA regulation and related guidance calls for “effective” security measures to meet a “commercially reasonable best effort” toward HIPAA compliance. That’s why large-scale hospitals and enterprise health systems are required to have more advanced security measures–because the size and scope of their business demands more stringent security protections.
However, with ransomware attacks making headlines day after day, threats to even smaller scale health care providers are becoming far more dangerous.
That’s why, when it comes to securing healthcare data, simple security measures are no longer sufficient to protect against data breaches and fines. The truth is, there are advanced security options available for even the smallest of practices. The days of simply using anti-virus and anti-malware are over.
In order to keep health care data protected, health care organizations should strongly consider implementing solutions or working with IT providers for:
- End-to-end encryption
- Full disc encryption
- Secure communications
- Internal monitoring and auditing
- Endpoint protection
- Business/emergency continuity
By working with a qualified IT provider, managed service provider (MSP), or managed security services provider (MSSP), health care providers can confidently address their security in the age of ransomware. Security goes in hand-in-hand with compliance to keep your business safe.