HIPAA security and privacy rule requires many resources for an organization to be compliant. Resources can be time consuming and often create operational issues and financial burden for covered entities. Organizations often believe that there is one solution out there that will make achieve compliance or, more importantly, secure the organization. This leads organizations to consider two big questions:
Where do I focus my resources to meet the HIPAA security and privacy rule?
Is being HIPAA security and privacy rule compliant good enough to lower the risk of a breach?
Focusing Your Resources to Achieve HIPAA Compliance
To best determine where your organization’s resources should be focused, we suggest conducting a security risk analysis. This should drive the allocation of resources towards IT security. The security risk analysis covers HIPAA security topics such as encryption of ePHI, investigating security incidents, authentication controls, access controls, protection from malicious software, and other security topics. Most importantly, the security risk analysis will go above and beyond HIPAA security requirements to address current threats such as ransomware, insider threats, and external threats. A formal plan should then be created on how you plan to address each risk - we often see the first response is to purchase new software.
As my colleague, Brad Pierce, described in a previous blog, organizations often fall victim to the “automagic” security solution, a single software or product promising to protect an entire network. The promises made by these “automagic” security solutions are often counteracted by something within the organization. Here are a few examples:
“If I purchase this SIEM, I’ll be able to identify threats in real time” – only for the SIEM to be configured without critical system logs being fed to it or without anyone reviewing events in the first place.
“If I encrypt all ePHI at rest and in transit, all my sensitive data is protected" – only for encryption software to be circumvented by an end user storing ePHI within their personal email or personal computer.
Various security solutions can be used to mitigate some breaches from occurring, but security solutions are only one piece of the puzzle. The bigger and, arguably, most important piece of the security puzzle is investing in people. Investing in security personnel and a third-party security firm equips your organization to execute offense-oriented cybersecurity efforts such as performing an in-depth risk analysis, having a security operations center, performing an advanced penetration test, and having in-depth security training for end users. These security efforts, spearheaded by strong security leadership, can all lower the risk of a breach occurring. These efforts may be cheaper than allocating resources to security solutions that are never completely utilized and may even be circumvented by end users.
Is Being HIPAA Compliant Enough to Secure my Organization?
Simply put, being compliant is not good enough to lower the risk of a breach. The HIPAA security rule does not require an advanced penetration test or even vulnerability scans, as mentioned above. One of the bests ways to determine the effectiveness of your organization’s security posture is by having an advanced penetration test performed. Advanced penetration tests are the best way to identify and exploit organization-specific vulnerabilities to show how an external or internal threat can access, modify, or steal ePHI or sensitive data. Vulnerability scanning tools are often used in place of a penetration test, but these tools never exploit vulnerabilities or jump systems (as a real attacker would) to determine what information can be accessed, modified, or stolen.
HIPAA security and privacy rule requires investing in resources, both solutions and people. Security solutions alone will never solve all security risks and can often drain financial and operational capital. Investing in security personnel and a third-party security firm should be the driving force behind your security efforts, lowering the risk of a breach and the cost spent on unnecessary security solutions.