Health Insurance Portability and Accountability Act (HIPAA) Security and Privacy ruling provides standards for required and addressable security and privacy standards around patient medical records and other health information for covered entities. There are two questions that should be asked if one is a covered entity:
- What is my organization doing to address each standard identified within HIPAA?
- Is "bare-minimum compliance" enough to secure its network from a data breach or prevent additional fines from the Office of Civil Rights?
Often, we see that bare-minimum compliance within the regulation is not enough to adequately secure an organization’s systems. For instance, an organization ignoring risks identified within the HIPAA Meaningful Use Risk Assessment could result in a data breach and major fines from the Office of Civil Rights.
Is “bare-minimum” compliance enough to properly protect your healthcare organizations systems? Here we will address a few areas of the HIPAA Security and Privacy ruling that covered entities can strategically utilize to elevate their security posture from bare-minimum compliance to reasonably secure and compliant.
1. Periodic technical and non-technical evaluation is required for environmental or operational changes affecting the security of a covered entity. Often, we see a few risks related to weak security posture, and non-compliance or bare-minimum compliance when an organization undergoes major changes such as implementation of a new medical record system. These risks include:
- Security policies and even disaster recovery plan not being updated to reflect new organizational changes within its IT environment.
- An advanced external and internal penetration test not being performed to detect threats specific to an organization’s newly configured IT environment.
- An independent IT audit or review not being performed to reasonably ensure that the organization’s newly configured IT environment complies with organizational security policies and procedures, as well as regulatory requirements.
- An update to the risk assessment occurs, but a full risk assessment is not performed to include additional risks related to a newly configured IT environment.
2. Information system activity review is required. This involves regularly reviewing records of information system activity, such as audit logs, access reports, and security incident tracking reports. Typically, this requirement is either partially addressed or ignored completely due to encumbrances of various logs for various systems. It can be overwhelming for an organization to review all logs. Thus, a covered entity should consider:
- Creating a log management policy detailing what systems are critical or contain sensitive data. This policy should detail what type of logs should be reviewed, such as administrator changes and failed login attempts. This policy should also assess the risks associated with not reviewing other systems and user activity deemed irrelevant.
- Utilize log management software to automate information system activity review process and to eliminate time spent manually reviewing logs.
- Consider using a Security Operations Centers (SOC) to analyze application, network, and firewall logs to save time and resources.
3. Perform a HIPAA Security and Privacy ruling gap analysis. Addressable standards, such as encryption of electronic protected health information, are commonly ignored by organizations. A covered entity should consider:
- Performing a gap analysis to ensure HIPAA Security and Privacy standards are met and implemented within the organization’s policies and procedures.
- Have a written, documented response addressing risks associated with not having addressable standards, as well as documented mitigating security controls that address risks associated with not having the standards implemented.
- Consult with a security expert on security alternatives to address the risks associated with not having addressable standards in place.
There is an abundance of topics to be discussed within the HIPAA Security and Privacy ruling. With any regulation or law, there are many grey areas for an organization and how they choose to address the regulation. Going above bare-minimum compliance could prevent additional fines or reputational losses due to a data breach. Contact your security expert today to determine how you can address HIPAA security and privacy requirements to go beyond bare-minimum compliance to strengthen your overall security posture.