HIPAA Basics II: True HIPAA Compliance Requires a Security Culture
By Gil Vidals, , HIPAA Blog, Resources, Security

 No doubt you’ve heard the latest cyber horror stories: 

  • significant data breaches of US healthcare practices continue in 2021, including Nebraska Medicine,  Cancer Treatment Centers of America, and Scripps Health.
  • HIPAA Journal reports 63 data breaches of 500 or more records occurred in May 2021. In total, 6,535,130 healthcare records were breached.
  • the average cost of a data breach in the US is now about $8 million.
  • ransomware attacks against sensitive data continue at a rate of every 11 seconds.
  • many healthcare practices – so damaged by having their systems taken offline and data stolen – have been unable to treat patients, causing many to suffer, and some smaller practices to even shut down

You may be wondering: is there a silver bullet to put an end to all this?

Waiting for government diplomats and politicians to crack down on cybercriminals isn’t the answer. (A federal strategy for prosecuting bad actors is important, but it will never sufficiently address an organization’s weaknesses, within or without). 

The good news is, your healthcare company can take steps to up your security game now.  

Start Addressing Risks

When a maintenance light pops on in your car, you’re reminded to take action – lest you find yourself stranded on the road or involved in a serious accident. Shining a light on risks is an essential first step. 

Make no mistake, addressing cyber risks has become an indispensable matter of patient safety according to the AMA. Failure to do so so can have tragic consequences.

So begin by asking this question, directly relevant to HIPAA compliance Privacy and Security Rules (the complete text of which can be found at hhs.gov): 

How committed is my organization to a regular process of finding and addressing risks to sensitive data?

The following are some key areas to examine. Have you:

  • established user access permissions for sensitive data?
  • limited network access to approved software?
  • established password management and workstations protections? 
  • ensured sensitive Emails (with PHI) encrypted? 
  • enabled two-factor authentication for all your solutions? 
  • are all your mobile devices protected? 
  • are you ensuring regular backups?

That’s just a start – what are the additional risks your organization needs to address? 

Maintaining HIPAA compliance happens when we establish a consistent and dynamic security culture -including a regular gap-remediation process – as a normal way of operating.

Download Now!

Let’s go even deeper and ask, has your organization prioritized cybersecurity from a high-level, business-goal standpoint? Here’s what that might look like:

5 Marks of a Security Culture to Prioritize in your Organization

  • Establish Cybersecurity as a top-down, strategic part of the company’s vision. Security must be linked to business goals and relevant to board-level decisions.
  • Determine a “data blueprint” of how data is used. Ensure your team understands the context in which the data is created and used, and how it is subject to regulation.
  • Institute a regular (monthly) gap remediation for risk assessment-continuous improvement (see below). All risk areas, including staff, practices, and technology, are evaluated and assessed for continuous improvement.
  • Security skills and governance tools are becoming integrated into daily activities. Ensure you’re enabling the latest protocols and encryption ciphers for data protection, using two-factor and password-less authentication, secure workstation practices, etc.
  • Ongoing staff training is being conducted. Since malicious attacks continue to evolve, ensure that security training, including phishing awareness, is being conducted regularly.

You see then that HIPAA compliance (maintaining the privacy, integrity, and availability of your data) isn’t about getting a certification (there is no official, federally recognized certification for HIPAA) – though compliance programs can help.

Nor is it about finding a HIPAA hosting company that will magically “make” you HIPAA compliant – it simply doesn’t work that way. Rather, how you integrate and follow the above security practices will be key for your compliance. 

Hosting Matters

That said, on the hosting and infrastructure side of things, a truly compliant host is essential for protecting your data. (You can take a deeper dive on what this means by checking out: Ten Essentials To Look For In A HIPAA Compliant Hosting Company ).

This is important, as some hosts will claim they’re offering HIPAA compliance while they are actually deficient. How can you tell? Usually, they’ll be lacking one or more of the following items:

  • HIPAA BAA – The BAA – which we covered in our last post on HIPAA Basics – is an agreement between a “HIPAA Covered Entity” (hospital, doctor, or insurance provider) and the Business Associate (in this case, the host). Obviously, if this agreement does not fulfill certain requirements, the host is not compliant.
  • SIEM (Security Information and Event Manager)  – Keeping track of system and other logs is a requirement of HIPAA. This is the job of the Log Manager. HIPAA requires that the Log Manager (at minimum) allows the logs to be searched, and it should handle correlation. In this context, correlation refers to the ability to find data across multiple hosts or servers.
  • HIDS (Host Intrusion Detection) – The host should have a system in place to check for common intrusion signs automatically. An example is OSSEC, a free and open-source HIDS (Host-Based Intrusion Detection System). OSSEC and others will check things like the Windows Registry (on Windows servers), log files for abnormalities, signs of a rootkit, and can be configured to respond automatically.
  • WAF (Web Application Firewall) – The host should also have a WAF to monitor the integrity of web applications such as login and contact forms. ModSecurity is an example of a WAF. This type of program will check for peculiarities in the input/output of web applications and can be configured to block or remove suspicious code.
  • Offsite backups – The data should be on media that is rotated periodically to a second location or synced daily to another data center. Most professionals prefer daily syncing of data since the backups are continuous. If the media is rotated, the backups are necessarily older.
  • Two Factor Authentication – The host must utilize 2-factor authentication. This means combining something you know (your password) with something you have (your phone). Wikid is a 2-factor authentication solution implemented by many HIPAA-compliant hosts.
  • VAS  (Vulnerability Assessment Scan) – HIPAA requires that hosts undergo this type of assessment by a third party (a known firm is ControlScan) to check for common vulnerabilities.
  • Password Management – A HIPAA-compliant host must also have a strong password management system in place. Frequently rotated, complex passwords are specified in HIPAA and must be retained in a secure way (a plain text file or spreadsheet is absolutely unacceptable).

HIPAA Vault offers all these and more – they’re part of our fully managed services and come standard with all our solutions. 

In summary, remember that true HIPAA compliance doesn’t just happen; it’s the result of careful attention to the risks in your organization, a strong security culture, and a proven HIPAA host. 

If you have any questions on HIPAA or on the services we can provide, please contact us! 760-290-3460. 

HIPAA Vault is a low-cost leader of HIPAA compliant solutions, enabling healthcare providers, business organizations, and government agencies to secure their protected health information from data breaches, threats, and security vulnerabilities.