While most healthcare entities follow the Privacy Rule fairly well, many aren’t compliant in the HIPAA Security Rule.
Did you know that only 77% of healthcare organizations require both privacy and security training? While most healthcare entities follow the Privacy Rule fairly well, many aren’t compliant in the HIPAA Security Rule.
See also: Snapshot of HIPAA and Healthcare Data Security
What’s the difference between the Privacy Rule and the Security Rule? Many organizations don’t realize these are separate rules that require attention. Here’s the difference:
But how do you fulfill the technical requirements from the HIPAA Security Rule? Here are some security issues you must address in your organization.
Attackers commonly target organizations that use remote access applications. A vulnerable remote access application allows an attacker to completely bypass firewalls and gain direct access to office and patient data.
To protect your remote access, you should use these methods:
It’s not enough to have only a password. Configuring two-factor authentication means you use two of the following three aspects:
Many companies often use usernames like “admin” and passwords like “password.” These make it very easy for a hacker to take control of your remote access.
See also: How to Do Passwords Right: Password Management Best Practices
Instead, use a passphrase; pick a phrase like “I never wear shorts on Wednesdays” and add in some numbers and special characters. Your passphrase might look like something like “inwsoW1889!”
See also: Healthcare's Password Security is Embarrassing
Enable user lockouts to prevent a brute force password attack. After a specific number of failed login attempts, the user is locked out.
Limit the number people who have remote access to PHI. Guest accounts should be disabled since they can allow anonymous access to your machine.
See also: The Healthcare Threat is Imminent: Secure Remote Access Now!
See also: SecurityMetrics HIPAA Guide
Today, most healthcare entities have wireless networks (i.e., Wi-Fi). Wi-Fi access has also become a waiting room norm. But many offices don’t have their Wi-Fi set up correctly with encryption, turning that free patient asset into a liability.
See also: Wireless Access Point Protection: Finding Rogue Wi-Fi Networks
Set up your Wi-Fi with a WPA2. Do NOT use outdated WEP encryption, since it’s easy to compromise.
Guest wireless networks should always be segmented from your non-guest wireless network by a firewall. For example, if your Wi-Fi network name was drdaniels, you could set up another Wi-Fi network just for patients named drdanielsguest. Nurses, office managers, and physicians should only use drdaniels, and patients should only be allowed to use drdanielsguest.
Rogue wireless points can let attackers get access to secure networks. Scan for these points especially if they’re attached to your non-guest network.
See also: Could Your Waiting Room Wi-Fi Be Sabotaged?
Only 63% of healthcare organizations encrypt PHI on work devices. The HIPAA Security Rule requires healthcare entities have a method to encrypt and decrypt electronic PHI. This includes all PHI in all devices (desktop, laptop, mobile devices, flash drive, etc.).
There are three common data handling practices organizations tend to confuse:
Many organizations confuse encrypting with masking, but only encrypting truly keeps your data safe from hackers
Most mobile devices, like phones and tablets, aren’t equipped with the most secure encryption. If your mobile device is handling sensitive data, have procedures set in place to keep your data secure.
See also: Balancing Mobile Convenience and PHI Security
Securely transmitting patient data over email is a challenge for healthcare. Even with encryption, email still isn’t very secure.
Use patient portals for sending information to patients, and secure file transfer options for covered entity to covered entity or covered entity to business associate communications. If that’s not possible, make sure the data you’re sending over email is encrypted.
See also: How to Send a HIPAA Compliant Email
Although HIPAA doesn’t specify an encryption, it’s best to use AES-128, Triple DES, AES-256, or better.
A very high percentage of breaches could have been prevented by finding and addressing vulnerabilities through a vulnerability scan.
Vulnerability scans assess computers, systems, and networks for security vulnerabilities. They can be started manually or on an automated basis, and will complete in as little as several minutes to as long as several hours.
However, vulnerability scans don’t go beyond reporting vulnerabilities. It’s up to the organization’s risk or IT staff to patch weaknesses, confirm false positives (looks like a vulnerability but isn’t one), and then rerun the scan until it passes.
See also: 10 Qualities To Look For When Selecting an Approved Scanning Vendor
You should run vulnerability scans monthly or at least quarterly. Any less than that, and you risk having your business vulnerable to attackers.
Once the scan is done, a findings report is created. Use these reports to address the vulnerabilities found. Remember, a vulnerability scan is useless if you don’t use the information generated to fix potential security problems.
When it comes to the Security Rule, no shortcuts should be taken. Make sure you address all the requirements in this rule; otherwise you won’t be HIPAA compliant, you may fail a potential audit, and worst of all, you’re putting your patient’s data at risk.
The HIPAA Privacy Rule protects your patients’ privacy, but the Security Rule protects your patients.
It’s not just about protecting your organization from fines and lawsuits. It’s about protecting your patients from data thieves and attackers.
Your patients trust you; live up to that trust and stay secure with the Security Rule!
.svg)
