Everything you need to know about HIPAA regulation

Data breaches and ransomware attacks have become big healthcare industry menaces. Phishing also poses a threat to data security and accounts for a large number of exploits. That’s why data privacy laws like HIPAA (Health Insurance Portability and Accountability Act) play a major role in protecting healthcare, insurance, and patient information. HIPAA is a federal law enacted by President Bill Clinton in 1996, created to define and control how patient data is collected, stored, and used. Let’s learn more about this privacy law and its nuances, especially third-party app security.

Every US-based business and organization providing medical treatment and access to Protected Health Information (PHI) is subject to HIPAA compliance. The need for compliance is increasing as information is digitized and businesses, hospitals, organizations are digitalized. This escalating trend is adding mobility, flexibility, and efficiency but also jeopardizing sensitive data.

With so much information being exchanged online, attacks are becoming more and more sophisticated and frequent. HIPAA aims to protect essential data from being exposed and hold people responsible for putting data at risk. In this article, we will go over the five most important takeaways of HIPAA, look at recent violations, and understand the importance of digital security for websites.

What Is HIPAA?

With HIPAA, it’s all about the Protected Health Information (PHI), just like the European GDPR helps safeguard Personal Identifiable Information (PII).

HIPAA is essentially a US-based privacy rule that applies to many online business and healthcare identities. This law applies to all group or individual health plans like Medicare, Medicaid, dental procedures, and others. Even employer and government-sponsored health plans have to comply with HIPAA regulations. Secondly, healthcare providers transmitting PHI also need to be compliant.

HIPAA protects all kinds of medical and healthcare information. This includes the past and ongoing treatment being given to the individual (or group), the patients’ physical and mental health condition, and the medication types. As per HIPAA, none of this information can be distributed or used with the individual’s permission, which also has to be documented

5 Key HIPAA Cybersecurity Takeaways

Let’s investigate the 5 key takeaways that the Office of Civil Rights (OCR) in the US has published after auditing several healthcare providers over the years.

1. NPPs (Notice of Privacy Practices)

NPPs explain the rights and obligations that a specific entity has regarding healthcare information. These rules should be written in understandable language, be clear and sufficient. Besides that, NPPs should be easy to access and find on the homepage of the entity. Companies should highlight the link to the HIPAA NPPs, preferably without using hyperlinks that might confuse some users.

Moreover, it is vital to make sure that the link works and functions and takes users directly to the page with NPPs. This has become a clear requirement today.

2. Right of Access

Patients should access their medical records, which seems to be nearly impossible or at least highly complicated. OCR finds it essential to enforce this policy across companies and guarantee the right of access to all patients. Office of Civil Rights (OCR) reports show that the vast majority of entities fail to provide clear and adequate policies regarding data access.

Specific policies and requirements concerning data access can also be found inside the “Improving the Health Records Process for Patients” report.

3. Breach Notification Rule

Although an overwhelming majority of audited entities managed to provide a timely breach notification, OCR found that the content of these letters was not satisfactory.

As per HIPAA requirements, entities should use plain and straightforward language and include a description of the breach: when, why, and what happened. Additionally, breach notifications should address the actions that patients could take to negate the consequences of the violation. The entity should also explicitly communicate what it will do to mitigate the damage and avoid such breaches in the future.

Finally, one of the rules is to include some contact information to allow patients to quickly get in touch if they have questions.

4. Third-Party Security Risk Analysis

The HIPAA regulations require entities always to conduct a risk analysis either autonomously or via a third-party vendor. Audits have discovered that not even 20% of entities have performed sufficient risk analysis to make sure they can avoid, prevent, or mitigate possible issues. As a rule, most audited companies failed to identify potential risks and vulnerabilities when securing their ePHI.

Risk analysis should be continuous and include changes in the security standards and incidents, business processes and operations, and environment. Entities that face issues when performing risk analysis can use OCR’s resources with guidelines and tips. Unfortunately, more often than not, this is the weakest link when it comes to achieving sustainable HIPAA compliance.

5. Risk Management Standards

The main takeaway here is the extension of the security risk analysis part, as it derives from the lack of an adequate risk analysis. You cannot implement any risk management steps without conducting thorough research and collecting the data your standards will rely on. OCR found that entities should base their security plans on the risk analysis data and link them to the risk management plans.

Risk management strategies are essential to detect possible risks and threats and act as per clear guidelines in case of a security breach.

HIPAA Violations Are Costly

The repercussions of HIPAA violations may vary depending on the type, severity, and intention. There are four tiers: from an offense that could not have been avoided or occurred unintentionally, all the way to a severe violation with willful neglect and no appropriate measures taken to mitigate the damage. Let’s take a look at recent cases where fines have been issued due to HIPAA violations.

#1 Aetna Health Insurance

In 2017, Aetna experienced three data breaches that collectively exposed the health data of almost 19,000 people over six months. In 2020, the health insurance company was fined $1,000,000 for the breaches after OCR’s thorough investigation. Aetna was found guilty of not securing and restricting access to ePHI and not having enough safeguards to protect medical records.

#2 CHSPSC LLC

CHSPSC is a community health systems company that was issued a $2,300,000 fine in 2020. This was due to exposing the ePHI of more than six million people and not fixing the breach for four months in 2014. Even after receiving a notice from the FBI, CHSPSC was blamed for failing to implement reasonable security measures, not conducting a risk analysis, and failing to create a proper risk management plan.

#3 Premera Blue Cross (PBC)

PBC is another health insurance company that violated HIPAA and ended up paying $6,850,000 in 2020, the second-largest fine in the history of OCR investigating HIPAA. In 2014, a group of hackers installed malware to gain access to PBC’s database via a phishing email. The breach was detected only nine months later, which exposed the personal medical files of 10.5 million people.

Website Digital Security: A HIPAA Essential

Now that we know more about HIPAA compliance and the consequences of not safeguarding PHI, it’s pretty clear that digital website security can no longer be neglected. Over 95% of online healthcare and insurance businesses today use dozens of third-party applications and tags on their websites. This external code is helping bolster marketing, analytics, business, and development performance.

But while these digital applications are helping organizations grow and scale up faster to achieve faster time to market (TTM), they are also introducing a plethora of risks and vulnerabilities that are enlarging the attack surface on these websites. Traditional AppSec options like CSPs, WAFs, and Pen Testing are helpful but cannot cope with the blind spots and dependencies that these apps are creating.

The only solution to this growing problem is taking control of these external digital apps. How can this be achieved? Using a solution that can map and monitor this external code via one centralized dashboard while providing security teams with the ability to detect (and eliminate) risks as they arise. Having a holistic view of your digital assets is the only way to eliminate all underlying risks and dependencies.

Web skimming attacks, domain exploits, and supply chain threats have to be taken seriously if you want to get closer to achieving HIPAA compliance today.