Healthcare organizations have been pushed to the limit handling the explosion in COVID-19 cases. At the same time, they have been bombarded by cyberattacks when they are most vulnerable. Complying with the Health Insurance Portability and Accountability Act (HIPAA) is the last thing on their minds. Yet compliance issues in healthcare remain central for hospitals and other healthcare providers.
The good news is that a security program based on Zero Trust policies and supported by strong identity governance and administration (IGA) solutions can help healthcare providers comply with HIPAA without disrupting vital services necessary in this time of the pandemic.
HIPAA Privacy and Security Rules
First, let’s examine what HIPAA requires of healthcare organizations. The HIPAA Privacy Rule addresses how protected health information (PHI) can be used and disclosed, while the HIPAA Security Rule applies specifically to electronic PHI (e-PHI). PHI covers a broad range of health information, including health records, health histories, lab test results, and medical bills.
The Privacy Rule requires healthcare organizations to institute safeguards to protect the privacy of PHI and sets limits on how PHI can be used and disclosed without the patient’s authorization. The rule also gives a patient the right to examine and obtain a copy of their health records and to request corrections.
The Security Rule requires healthcare providers to institute administrative, technical, and physical safeguards for protecting e-PHI. Providers need to ensure the confidentiality, integrity, and availability of e-PHI they create, receive, maintain, or transmit. They must also guard against reasonably anticipated threats to the security or integrity of e-PHI, as well as protect against impermissible use or disclosure of e-PHI and ensure compliance by their workforce.
Challenges to HIPAA Compliance
The shift to remote work prompted by the COVID-19 pandemic has raised concerns about the security of PHI. An essential part of remote work is the use of mobile devices, such as healthcare workers using their smartphones and tablets to handle patient data. Unsecured mobile devices are extremely vulnerable to cyberattacks, and healthcare organizations could run afoul of HIPAA without robust security systems in place.
Healthcare organizations are increasingly using instant messaging to communicate quickly and efficiently about patients. This can improve productivity, but without the proper security in place, it also could pose the risk of violating HIPAA. The University of Rochester Medical Center was fined $3 million for failing to encrypt their mobile devices, which led to a breach of PHI.
The pandemic has also spurred an increase in the use of telemedicine to treat patients remotely. The Mayo Clinic recently announced that it had used $1 million in federal funds to expand its telemedicine program to minimize the spread of COVID-19 while continuing to treat patients. To encourage the use of telemedicine, the Department of Health and Human Services (HHS) has eased enforcement of HIPAA. In March, HHS’s Office for Civil Rights (OCR) announced it would waive HIPAA penalties for healthcare providers that serve patients using telemedicine during the COVID-19 pandemic.
This exemption applies to non-public remote communication apps (e.g., Apple FaceTime, Facebook Messenger, Google Hangouts, WhatsApp, Zoom, and Skype) when used in “good faith” for treatment or diagnosis, “regardless of whether the telehealth service is directly related to COVID-19.” At the same time, public-facing apps, such as TikTok, Facebook Live, Twitch, or a public chat room, do not qualify for the HIPAA waiver.
Another challenge to HIPAA compliance is compatibility issues with electronic health record (EHR)/electronic medical record (EMR) systems connecting with other internal and external systems. Unfortunately, organizations are finding it hard to share patient information outside of their EHR/EMR system. This opens up the risk of PHI being breached when employees engage in workarounds, which include faxing medical records or exchanging electronic records using USBs and other insecure methods.
The increasing use of Internet of Things (IoT) devices in healthcare settings, such as patient monitoring devices, is also opening organizations to data breaches because security is often overlooked during development and deployment. The makers of IoT devices can prioritize functionality and speed to market over security for their products.
Additionally, third-party healthcare vendors can be a source of PHI breaches because they handle patient information but do not necessarily have adequate security. They may not have the financial resources to implement a robust security program, or they may not realize they have vulnerabilities.
Finally, there is the risk to PHI from malicious actors such as ransomware attackers or malign insiders. Ransomware groups are exploiting the COVID-19 pandemic to attack healthcare organizations when they are most vulnerable. In addition to encrypting systems, these attackers are now stealing data and holding it for ransom, knowing that the victims could face hefty HIPAA fines for its release.
Malicious insiders are looking to make money by selling stolen PHI to cybercriminals, who use the information to carry out many types of fraud. Stolen healthcare data is the most valuable of any kind of data, and it costs the victim organization a hefty price tag of $7.13 million per breach.
Zero Trust and Healthcare
With the explosion of data breaches and network infiltrations, it is becoming clear that the perimeter-based security approach is not working, and it costs healthcare organizations time and money that could be better used in treating patients.
This is where Zero Trust can help. Zero Trust is a security strategy based on not trusting anyone inside or outside of an organization. Instead, people and devices need to be authenticated before they can connect to the network and systems. Technologies that support Zero Trust include multi-factor authentication (MFA), identity and access management (IAM), orchestration, analytics, encryption, scoring, and file system permissions.
A Zero Trust approach can help healthcare organizations address the challenges of securing PHI and other sensitive data without disrupting essential healthcare treatment and services. Zero Trust in healthcare should focus on device health, identity and access management, and network segmentation. Even if attackers can steal credentials and get access to the healthcare provider’s network, they are prevented from moving around the network. Network segmentation is particularly effective against ransomware attacks because the attackers can be stopped from encrypting the entire network and stealing sensitive data by isolating them from the breached segment.
Zero Trust can secure IoT devices that are widely deployed in healthcare settings. These devices sometimes fall through the cracks of a traditional perimeter-based security model. Medical devices also traditionally communicated with one computer, so security was not a big concern. Now multiple medical devices talk to numerous endpoints within the healthcare network, making authentication for these devices imperative.
The Zero Trust approach also limits access to only what an employee needs to do in his or her job. This is known as least-privilege access, and it helps to limit the damage that a malicious insider can do to an organization. In terms of third-party vendors, Zero Trust enables healthcare organizations to limit access of vendors to only what they need to provide their service or product.
By strictly controlling access to systems, improving PHI security, limiting the damage an attacker can do, and strengthening the security of devices and vendors, Zero Trust helps a healthcare organization comply with HIPAA and avoid fines. But Zero Trust is not easy. Healthcare providers need to inventory the devices that access the network and map traffic flows so that access control policies and permissions can be developed. These policies and permissions cannot break existing processes and systems, or patients’ lives could be at risk.
IGA and Zero Trust
IGA is a policy framework and set of security solutions that provide organizations with the ability to mitigate risk and manage identities. It enables a provider to streamline user provisioning, password management, policy management, and access governance.
In the healthcare industry, most IT security leaders don’t have the personnel to implement an effective security posture. IGA can help by providing healthcare organizations visibility into their actual security posture instead of relying on their perceived security posture. It gives organizations an understanding of who has access to what systems, applications, and resources, and, more importantly, why they have that access.
For example, if an anesthesiologist has been mistakenly granted access to a wide range of patient records instead of only the patient he or she is treating, IGA can flag that problem. It notifies the IT security team through an ad hoc access review or by automatically correcting the access-policy issue. In another example, a nurse can be granted access to administer only specific drugs after the access is approved by his or her manager. This can be done through an access request/review on a specific date.
IGA makes healthcare compliance easier because the organization has easy access to the information audit trails.
A Partner for Implementing IGA and Zero Trust
IGA and Zero Trust are the foundation of the Identity Solutions approach. We guide healthcare organizations through their Zero Trust journey. We can advise you on the software solution that best fits your needs for improved security policies and streamlined business workflows. With our help, you can assess what employees, vendors, and others are doing on your networks. We can help integrate your EHR/EMR system with other IT systems and ensure they work together securely.
Identity Solutions helps you execute and manage your security framework. This involves establishing workflows and policies that enforce and bring visibility to your network, as well as implementing separation of duties policies. We help bring all this together and put switches and levers into place to ensure security and HIPAA compliance. We have experts who come in and organize your systems so that the right people get the right access without data integrity being compromised.
When it comes to compliance issues in healthcare, the combination of a Zero Trust security strategy, a robust IGA program, and access control technologies is the way to go. We have a free resource to help your organization take your security implementation and compliance to the next level. By downloading the Secure Identity Strategy Implementation Steps e-book, you will learn how to improve the health of your business and the efficacy of your employees at the same time. Identity Solutions will be there to help you every step of the way along your security journey, and our free resource can be your first step to better compliance.
About the Author
Ellen M. Derrico is a senior executive with over 30 years experience in healthcare, life sciences, and technology companies. Her career spans leadership roles in marketing, sales, market development, R&D, clinical, and consulting. She has worked with companies ranging from startup to multi-billion dollar revenue conglomerates. Former companies and clients include: IQVIA, Salesforce.com, Hewlett Packard/Agilent, SAP, TriPath Imaging (Becton Dickenson), G.D. Searle (Pfizer), Emergent Biosolutions, Fast Track Systems (Medidata Solutions), Dionex (Thermo Fisher Scientific). Ellen is viewed as a thought leader in Analytics, ML, AI, Cybersecurity, Security and Privacy for life sciences and healthcare. She serves as a reviewer, moderator, and mentor for HIMSS. Ellen holds a Bachelor’s of Science degree in Chemistry (with honors) from Purdue University and an M.B.A degree (with honors) from Temple University Fox School of Business Executive Program. In her free time, Ellen is an avid networker. She founded, led and chaired the Greater Philadelphia Senior Executive Group (GPSEG) Life Sciences & Healthcare Subgroup from January 2009 until January 2016. The organization grew rapidly to over 350 executive level members under her leadership.