Per the Health Insurance of Portability and Accountability Act of 1996 (otherwise known as HIPAA) Security Rule, a number of “technical safeguards” combined with the physical security of the computer systems that store and interact with protected health information (PHI) make up the bulk of what is required in order to fall within the realm of HIPAA Compliance. Simply put, when dealing with digital information, the process of securing this information and keeping it private is much more complicated than simply locking a cabinet or a safe. HIPAA mandates several distinct technical safeguards that build a basis of security around PHI data, but this is only a baseline. As with compliance, security is an ongoing task that requires constant vigilance and adaptation.
HIPAA technical safeguards include:
- Access control
- Audit controls
- Integrity controls
- Transmission security
First is access controls which refers to data that must be password-protected and limited to authorized users only; step one in any form of IT security. Next is audit controls which refer to hardware, software, and procedural methods to keep track of who accesses what data when, and be able to track the course of a user’s tasks. Integrity controls refer to policies of keeping the data private and unaltered; requires keeping encrypted backups and creating a system to verify data integrity. Transmission security refers to all data transfer that must be encrypted; if not encrypted data would be in plain-text.
As described above, these are the baselines of HIPAA Compliance. This process of securing sensitive medical information can become a daunting task with many different facets, completely dependent on the scenario in which is it being applied. For example, making a web server more secure is a completely different process than making an SQL database secure. The principles, however, are the same. Best practices for HIPAA Compliance requires implementing procedures that encourage secure IT habits, rather than only abiding by them on special occasions. As users become more familiar with these practices [such as rotating passwords every X amount of days and the idea of multi-factor authentication], then the process of remaining compliant will eventually be second-nature. Furthermore, HIPAA Compliance should be in conjunction with system hardening, not as a replacement. HIPAA does not mandate system configurations, only the process by which to protect the data.
By following “best practices” it can reassure that PHI data will not be compromised by a shortcoming in IT security. HIPAA Compliance and IT security are both very prominent topics with many nuances, but when it comes down to it, focusing on one will improve the other. There is never a better time to implement better security procedures than the present.