They say you never know until it hits you.
Whoever “they” are, they’ve got a point – especially if the “it” is a hacker’s punishing left hook, aimed at disabling your website and stealing your sensitive data.
If you feel the punch – in the form of malicious software (malware) in your system – expect to be on the ropes: patient portals may be shut down, and your protected health information (PHI) stolen or held for ransom.
When it’s all over and the bell finally rings, you’ll be needing something stronger than smelling salts to come around.
Just ask Scripps Health…
… who suffered a staggering ransomware attack in May of 2021 leading to $113 million in lost revenues and over $21 million in mitigation costs.
Access to patient portals was suspended; patient appointments were delayed or canceled.
In addition to delayed patient treatments and the loss of millions, at least six class-action lawsuits were filed against Scripps for failing to adequately protect patient data. (More lawsuits were expected, but a judge delayed them for settlement purposes).
This kind of punch hits near the heart – and we haven’t even mentioned the regulatory fines for HIPAA violations: a maximum of $25,000 per violation category depending on your degree of negligence, such as failures to do risk assessments and encrypt devices.
Interestingly, this past year saw a rise in the number of third-party breach cases, including those curious Meta “tracking” pixels on healthcare websites. Advocate Aurora Health and Novant Health notified over 3 million and 1 million patients respectively of data breaches due to these pixel codes.
Although Meta denied a desire to collect health information from affected websites (they offered removal instructions here), it’s possible that the pixels were added by developers ignorant of HIPAA requirements.
The real issue in all this, however, is the patient’s welfare.
If a patient’s private, protected health information is made public, it can damage them personally. Delayed treatments due to disabled websites or stolen data can also threaten health – even lives.
How to Make a HIPAA-Compliant Website
You see then why failing to protect PHI is no small matter, and why at HIPAA Vault, we’ll go to the mat for you.
If you’re planning a healthcare website in 2023 that will interact with patient information, understand that your site will be targeted.
Opting for an “It won’t happen to us” excuse is to maintain a dangerous status quo – until you feel the knock-out punch yourself.
The truth is, hackers have a lucrative business selling medical records, and they get better at stealing them all the time. So why make it easy for them?
Here are 3 things you can do now to achieve HIPAA website compliance, protect your patient’s data and welfare, and maintain your business:
1. Server and Site Hardening is a Must
If PHI travels through your website and ultimately to a server, both site and server must be HIPAA compliant.
Server and website hardening involves the process of applying multiple layers of security to each, specially designed to repel and neutralize vulnerabilities.
Typically, this process includes:
- removing unnecessary programs –
In addition to freeing up hard-drive space and increasing speed, removing unnecessary programs helps eliminate the potential for vulnerabilities from unpatched software that you’re not even using.
- closing unneeded ports –
Ports are network communication points, some of which must be open for particular applications or services. Applications that “listen” at those ports may be exploited if they are weak – i.e., unpatched with the latest security updates.
Since not all ports are intended for public exposure, care must be taken to configure all ports correctly in order to prevent unwanted traffic.
- implementing an SSL certificate for your website –
SSL, or Secure Sockets Layer (also known as Transport Layer Security, or TLS), is a security protocol that creates an encrypted link or channel for data flowing between your web browser and web server.
SSL certificates also verify ownership of your site, so that hackers can’t create a fake version and fool your customers into revealing their personal data.
- ensuring all web forms on your site are encrypted –
SSL helps secure your site pages – especially those that have web forms. The address to all your site pages (not just select ones) should start with “https://” instead of just “http://”. (The “s” stands for “secure.”)
- establishing unique permissions and strong password policies –
Assigning unique permissions to specific users limits access, which helps keep files and folders (ultimately, your data) more secure.
Enforcing strong passwords is also critical since compromised passwords and stolen credentials are still a major cause of hacks. (The Colonial Pipeline was hacked for this simple reason).
- using a HIPAA-compliant email solution –
Secure patient portals are a preferred means for sending patient communications; however, a compliant email solution like HIPAA Email is essential for keeping phishing attacks from penetrating your system.
- implementing two-factor authentication (2FA) –
The use of 2FA vastly reduces the risks that come with a compromised password, since hackers would still need the “second factor” or code that’s sent only to you.
2. Use a HIPAA host!
Hardening a healthcare server with the above steps is complex; it behooves you to find a proven HIPAA web hosting specialist with cutting-edge cybersecurity expertise that you can outsource this to.
This is critical because hackers are using cutting-edge techniques themselves!
And although a non-HIPAA web host may be cheaper, the risks associated with non-compliance can far outweigh the added cost.
So how does HIPAA-compliant hosting differ from traditional web hosting?
There are some clear indicators. Non-HIPAA hosts will likely NOT provide you with one of the following (and ask them specifically to verify):
- A signed Business Associate Agreement (BAA)
- Monthly vulnerability scans of your servers and mitigation of the vulnerabilities discovered
- Encryption of your data, both in transit and in storage
- Server hardening
- Managed antivirus, managed firewall
- Regular, off-site backups
- Log retention of 6 years
Let’s review these items one by one, so you can understand them better before discussing them with your prospective HIPAA-compliant host:
All HIPAA data handlers (covered entities) who host, receive, transmit or exchange ePHI are required to sign a Business Associates Agreement – a HIPAA-mandated, legal contract that confirms a patient’s data will be kept confidential, both in transit and in storage on all servers.
A signed BAA ensures that your hosting provider understands and accepts the liability of hosting your PHI data. They are as liable as you are in protecting the data from unauthorized access.
Monthly Vulnerability Scans, and Mitigation
As part of applying the HIPAA Safeguards, the HIPAA-compliant host should scan your HIPAA servers at least once a month and provide a report to you whenever you ask for it.
The purpose of the scan is to discover any vulnerabilities in the hosting environment. In addition to providing the report, they should be involved in helping remediate those vulnerabilities that are related to the infrastructure.
You can’t expect the HIPAA host to fix your application issues though (unless you hired them to write your app as well).
Encryption of Data, in-transit and in storage
Sensitive medical data needs strong, end-to-end privacy protections, as required by HIPAA. Numerous breaches have occurred because devices containing unencrypted ePHI – including mobile phones and laptops – have either been lost or stolen.
Encryption protects your data by replacing it with ciphertext, making it unreadable until decrypted. This way, even if a device does fall into the wrong hands, the data will be unreadable.
HIPAA-compliant hosting will ensure the encryption of data “in transit” – meaning, from the patient to the web server, and outside the hoster’s physical boundaries to the wide area network (WAN) between data centers – and also “at rest” on their servers.
The National Institute of Standards and Technology (NIST) recommends the Advanced Encryption Standard (AES) 128, 192, or 256-bit encryption, OpenPGP, and S/MIME.
We’ve seen what this includes (above) – and it needs to be an ongoing process. Relying on a HIPAA specialist to manage all this for you can free you up from these concerns, as well as significant equipment expenditures and maintenance costs. You get to concentrate on caring for patients!
Managed Firewalls, Managed Antivirus
HIPAA environments need specially configured firewalls. A web application firewall (WAF) should be updated regularly to provide proactive detection and blocking of suspicious IP addresses and harmful applications, including:
Managed antivirus should also be configured to regularly scan your system, and neutralize any potential infections that could lead to downtime.
Regular, Offsite Backups
Ask the web host if they provide automatic, offsite backups, and how far the backups are physically from the data center where your servers are hosted.
The backups should be in a secure data center, in a geographically separate location. (A next-door building is too close – it should be at least 50 miles away or further).
Basically, you don’t want a natural disaster such as an earthquake to take out both your servers and the backups in one shot. In this way, you preserve critical data integrity and availability.
HIPAA rules require you to keep track of who accesses protected health information (PHI), why they are accessing it, and what they are actually accessing. This includes both failed and successful login attempts to any areas where PHI data is kept.
Logouts must also be kept, as this indicates when someone would no longer be accessing the information. According to HIPAA regulations, these logs must be kept for a minimum of six years. The most common types of documents to be retained include:
- Risk Assessments and Risk Analyses
- Authorizations for the Disclosure of PHI
- Disaster Recovery and Contingency Plans
- Business Associate Agreements
- Information Security and Privacy Policies
- Employee Sanction Policies
- Incident and Breach Notification Documentation
- Complaint and Resolution Documentation
- Physical Security Maintenance Records
- Logs Recording Access to and Updating of PHI
- Notice of Privacy Practices (not applicable to health plans and clearinghouses)
- IT Security System Reviews (including new procedures or technologies implemented)
HIPAA-compliant hosting providers should offer a streamlined approach to gathering logs and searching through them. It is also vital that you are able to review and have access to these logs at any time.
Verify that your host is following all these HIPAA guidelines; don’t wait to get a wake-up call that your site has been attacked, for by then it may be too late.
3. Follow the HIPAA Security Rule
Your patients deserve comprehensive security, to protect their welfare. Beyond a compliant host, the HIPAA Security Rule extends that requirement to your own organization as well.
Without naming precise technologies (since they change rapidly), the Security rule contains regulations and safeguards for the protection of PHI – for both covered entities and their business associates.
Practically speaking, the HIPAA Security Rule is where the bulk of time and money will be spent. It requires three categories of safeguards to protect PHI data: Administrative, Physical, and Technical.
Each category calls for specific requirements:
Administrative Safeguards are the set of policies and procedures that outline the acceptable conduct and behavior of employees interacting with PHI, as well as the security measures to prevent intentional or unintentional breaches of HIPAA regulations.
This section calls for nine administrative safeguards:
- Security Management Process
- Assigned Security Responsibility
- Workforce Security
- Information Access Management
- Security Awareness and Training
- Security Incident Procedures
- Contingency Plan
- Business Associate Contracts and Other Arrangements
Physical Safeguards are a set of regulations focusing on physical access to the hardware that contains PHI. The Physical Security section mandates facility access controls, workstation use, workstation security, and device and media controls.
Technical Safeguards refer to the technology that protects PHI and regulates access. Though certain technology is more suited to HIPAA data than others, the Security Rule does not dictate specific software solutions.
A solution must have verifiable access controls, audit controls, integrity, authentication, and transmission security.
The HIPAA Breach Notification Rule:
Your patients need transparency, in the event that their PHI is exploited in any way.
The Breach Notification rule states that “a covered entity shall, following the discovery of a breach of unsecured protected health information, notify each individual whose unsecured protected health information has been, or is reasonably believed by the covered entity to have been, accessed, acquired, used, or disclosed as a result of such breach.”
The Office of Civil Rights (OCR) must also be notified when PHI is breached, whether a “minor breach” that affected fewer than 500 people or a “meaningful breach” of more than 500, which are made public on OCR’s Breach Notification Portal.
A Proven Website Host for Healthcare
Hopefully, the above has prepared you with a basic checklist to review with a web hosting provider that you’re considering for your project.
Remember, selecting a web host that actually follows the HIPAA guidelines is not the same thing as finding an inexpensive host that does a good job at hosting websites but isn’t equipped to protect patient information.
Adding a HIPAA-compliant website host like HIPAA Vault to your compliance program can help shield you from the knockout blows that hackers continually throw.
The other guys may just leave you in a world of hurt.
HIPAA Vault is a leading provider of HIPAA-compliant solutions, enabling healthcare providers, business organizations, and government agencies to secure their protected health information from data breaches, threats, and security vulnerabilities. Customers trust HIPAA Vault’s secure infrastructure and 24/7 managed security to actively monitor and protect their infrastructure, mitigate risk, and ensure that systems stay online at all times.