Four ways covered entities can ensure HIPAA compliance

Every healthcare organization knows about the Health Insurance Portability and Accountability Act (HIPAA). It’s part of daily life for those working in a healthcare setting, and it can be — from a cybersecurity perspective — a difficult set of regulations to navigate. HIPAA violations can result in a minimum fine of $50,000, not to mention the reputation cost as well as time and money spent if that HIPAA violation results in a data breach. With over 2.5 million EMR accesses per day per organization, there’s significant room for error, so ensuring compliance with HIPAA is critical for any healthcare organization.

Four ways to ensure HIPAA compliance

1. Implement access controls

There are a variety of access controls – the precision and control over when and how a user can exercise their access rights. – that help to keep patient data safe and secure. One access control that is simple to implement across an organization is multi-factor authentication. This method employs two or more sign-on methods to access certain assets. It could be a password and a code from a cell phone, a password and a keycard swipe, or another combination. It prevents a breach if somehow a password is compromised. Other access controls include:

  • Employing unique usernames and passwords for every login.
  • Restricting the access to certain scopes, times, functions, and applications.
  • Implementing role-based access controls for all users.
  • Unilateral ability to terminate an access session at any moment.
  • Configurable time periods for automatic session log off.

Strong access controls not only limit who can access what and enforce access policies, but the controls also operate as another line of defense against entry into the most critical of assets. Access controls also prevent miscellaneous human error, which is, unfortunately, a common cause of HIPAA violations.

2. Implement audit controls

For HIPAA compliance, an organization needs to be able to say “who is accessing what and when were they accessing it.” In case of a breach, this is the first piece of information HIPAA will ask for, and it’s strong cybersecurity hygiene to already have real-time logs for critical access points and sensitive assets. Audit controls include high-definition session recording and comprehensive system logging and user activity. Not only do both of these controls keep an organization compliant, but also utilizing them can stop a breach, an insider threat, or human error before it causes any damage.

3. Create transmission security

This seems obvious, but keeping your data encrypted is a crucial first step in keeping it safe. HIPAA requires customer configurable encryption, AES 128, 192, and 256-bit modes, and a FIPS 140-2 encryption module employed by default. Little numbers can make a big difference when a hacker is trying to steal sensitive data.

4. Protect against third-party Risks

In June 2019, both LabCorp and Quest Diagnostics experienced third-party data breaches that exposed 7.7 million and 11.9 million records, respectively. That’s just one of many breaches that occur due to third parties. With hundreds, if not thousands, of vendors remotely accessing a hospital’s network, a third-party breach could quickly turn devastating. However, applying the same rigors to external users that you do to internal users could prevent a costly breach.

Healthcare cybersecurity is worth the investment

Becoming HIPAA compliant and protecting sensitive data can be pricey. A recent report by CyberMDX and Philips revealed these alarming stats about healthcare cybersecurity investments:

  • Only 11% of respondents said healthcare cybersecurity is a high-priority spend.
  • Let’s look at this again – 89% of respondents (which includes health IT and infosec executives, biomedical technicians, and engineers) said healthcare cybersecurity is not a high priority spend.
  • Two-thirds of respondents said they don’t track ROI on healthcare cybersecurity spending.
  • Large hospitals reported shutting down for an average of 6.2 hours at $21,500/hour after a healthcare cyber-attack.
  • Midsize hospitals shut down an average of 10 hours at a rate of $45,700/hour when experiencing a healthcare cyber-attack.
  • 50-75% of respondents are not protected from common cybersecurity vulnerabilities like Bluekeep, WannaCry, and NotPetya.

None of those facts tell a good story for healthcare cybersecurity. Staying compliant helps an organization stay safe, and staying safe prevents breaches and costly fines. It all feeds into each other, and ignoring one creates risk for the other. Remember, $21,500/hour is just the shutdown cost. That’s not the total cost with compliance fines. It’s simple: Can your organization afford a breach? No, you can’t. This article originally appeared in Health IT Security.