Why HIPAA Compliance is Becoming More Challenging…
By Stephen Trout, , HIPAA Blog, HIPAA Hosting, Resources, Security

and What You Can Do About It

Never let a good crisis go to waste.” 

Whoever said it first (possibly Churchill, though it’s debated) understood a deeper truth about life’s challenges, often missed in easier times: storms and suffering tend to shake us out of our complacency, refining us for better things.

Case in point: Far from being a “tempest in a teapot” as some predicted early on, the pandemic storm left tsunamis of devastation. Over 6 million deaths and nearly 600 million global cases rocked families, communities, and whole countries.

We mustn’t minimize or spurn these losses because the triage has been less-than-perfect (when is triage ever perfect?)

Still, the darkness has not overcome the light: scores of healthcare workers, first responders, churches, and individuals have shown great courage “helping others into the lifeboats” while putting themselves at great risk.

The challenges go on (add Monkeypox and other storms) with burn-out affecting many.

Yet the enormous needs and logistical challenges of the pandemic also spurred innovation and change: 

  • record vaccine developments (only 11 months — the previous record was a vaccine for mumps, which took five years)
  • widespread use of telehealth to ease the load of in-person doctor visits
  • greater flexibility of companies with remote work
  • Increased student proficiency with electronic platforms for virtual learning

… to name just some of the more significant social outcomes.

Not that any of this came easy: extended isolation spurred loneliness and depression, and many mourned at a distance without funerals, or the ability to hold celebratory events like weddings and graduations.

Yet many will also testify that their bonds of family have been strengthened, faith galvanized, and a renewed commitment undertaken to see life as precious and make the most of one’s days. 

Challenges to Healthcare Data Security

Healthcare has been in the eye of this storm, and remains there to a degree. Telehealth as a regular patient option is likely to be a mainstay, but what challenges have arisen for securing protected health information (PHI), and maintaining HIPAA compliance? 

Early on, the storm of COVID-19 saw opportunists: unscrupulous actors seeking to exploit the “fear and uncertainty caused by the unstable social and economic situation,” as INTERPOL reported. 

COVID-19-themed phishing emails and fraudulent domains sprang up early and spread almost as fast as the virus. Meanwhile, Ransomware and other kinds of attacks from nefarious sources showed no signs of slowing. 

As a result, data-handling experts like Microsoft (following Google, and secure cloud providers like HIPAA Vault) began to double down on security:

Given the leap in attack sophistication in the past year, it is more important than ever that we take steps to establish new rules of the road for cyberspace: that all organizations, whether government agencies or businesses, invest in people and technology to help stop attacks; and that people focus on the basics, including regular application of security updates, comprehensive backup policies and, especially, enabling multi-factor authentication (MFA). Our data shows that enabling MFA would alone have prevented the vast majority of successful attacks

– Microsoft’s 2020 Digital Defense Report

With 2022 half over, this question for reflection continues to be a good one: what are you learning in the wake of COVID-19? How has HIPAA compliance become more challenging, and what changes is your healthcare organization being challenged to make? 

Here are 3 areas that help explain why HIPAA compliance has become more challenging, and what you can do to promote HIPAA compliance in your organization:

1. An Increase in the Volume and Types of Threats to PHI

As noted, phishing scams and similar kinds of attacks skyrocketed during the pandemic, and continue to evolve. Hackers look to stay ahead of the curve, and so must security and compliance specialists. 

We wish we could sing a different tune, but 2021 saw the largest number of healthcare data breaches on record. IBM’s latest data breach report now estimates the average cost of a healthcare data breach to be $10.1 million (as compared to last year’s $9.23 million). 

That makes for twelve consecutive years of healthcare having the highest average breach cost; it also represents a 41.6% increase since 2020. 

Numbers like these continue to alarm, but they don’t always translate to how patients themselves are impacted. Consider just one study of patient harm (among the other kinds of harm such as financial, psychological, identity, etc.) which demonstrates how a malware infection like ransomware can wreak havoc, causing: 

“36 additional deaths per 10,000 heart attacks that occurred annually at the hundreds of hospitals examined. Given that every year about 805,000 Americans have a heart attack, that can mean an additional 2,800 additional deaths nationwide.”

No wonder the AMA has now made cybersecurity a matter of patient safety!  

Yet not only has the risk of ransomware attacks increased, but resulting fines for violations of HIPAA can also be tremendously costly – in the millions of dollars. Business viability and provider reputations may also suffer. 

This makes adherence to HIPAA compliance regulations and breach-prevention measures all the more critical for healthcare organizations. 

What You Can Do

Whether you’re a large healthcare system or a small, private practice, there are core security fundamentals you can insist on to protect your patients and business. 

The Department of Health and Human Services has offered these Ten Tips for Cybersecurity in Healthcare, which include establishing a security culture and providing regular training for your staff. This is a good start. 

In addition, the Cybersecurity and Infrastructure Agency published this helpful article on Ransomware. Take a few minutes and read it over.  

Finally, protect your IT environment and data by leveraging proven, HIPAA-compliant hosting services with 24/7 managed security services, such as: 

  • patching and updating systems to reduce attack exposure 
  • regular scanning for vulnerabilities, and mitigating those found
  • daily snapshots of your environment for maintaining business continuity 
  • implementing multi-factor authentication for sign-on 
  • deploying data-loss prevention, including encryption 

As Jen Ellis, co-chair of the Institute for Security and Technology’s Ransomware Task Force notes:

“Many of these measures have traditionally been seen as challenging for clinical healthcare environments to adopt, but the reality is that without them, hospitals are effectively sitting ducks for attackers.” 

2. Even Savvier Phishing Attacks

Microsoft’s Digital Defense Report notes how, over the past few years especially, cybercriminals have become savvier – as we’ve seen, even willing to capitalize on a crisis like COVID-19. This was another clear indicator of how agile and evolving (and yes, heartless) the attackers are. 

Interestingly, the report details a general shift for these cyber criminals, changing their primary means of attack from malware to email phishing, which now causes over 70% of data breaches. As such, they’re utilizing increasingly sophisticated methods to attempt to sway recipients and harvest their credentials. 

Scams that impersonate an executive in your company and include an “urgent” link to click on are a common approach. Impersonating company departments is another; eg,  “Memo from HR” or “COVID-19 Benefits;” or even bogus “tech support instructions” that ask for an urgent response to critical IT matters.  

You’ve likely seen numerous attempts to imitate top brands – including Amazon and Apple – that tout attractive offers for you and your company. Clicking on these links in an email opens the door for them to deliver their harmful payload, compromise your systems, and even breach your data.

What You Can Do

For healthcare organizations, the use of secure, HIPAA-compliant email that requires authentication is one way to recognize valid emails. This can filter out the possibility of falling for phishing schemes, and help protect sensitive data.

Cybersecurity training that includes phishing awareness is also indispensable for helping employees recognize potential attacks in the high volume of emails they typically receive.

Cyber awareness training is a strategic way that companies can forge a strong defense while eliminating potential weak links in their workforce that might cripple their network.

3. More Data Volume, Changing Technologies, and Remote Meetings

A spike in doctor visits due to the pandemic, as well as a general trend in society towards greater self-monitoring of health with personal smart devices, translates into more sensitive data (PHI) being created. All data handlers must be aware of how that data is both stored and transmitted and take steps to see that it is protected.

Also, as many continue to work remotely and rely on virtual visits with their physicians – preventing potential exposure to others who are sick – there’s also an increase in potential targets. 

What You Can Do

A wider attack surface broadens the security risks, and so end-user devices (including smartphones and tablets) that handle PHI must rely on secure networks, data encryption, and avoid scenarios where they are open to public disclosure.

Healthcare providers must take appropriate steps to ensure a safe environment for their client’s medical data and personal information.

Using trusted, compliant applications, along with secure platforms supported by a HIPAA hosting provider like HIPAA Vault, will be indispensable for protecting personal information.  

As always, the following practices should also be observed by both patients and providers:

  • Visit only secure websites (look for the “lock” icon in your browser’s address bar)
  • Use strong passwords (a mix of lowercase, caps, numbers, and symbols) for all wireless connections
  • Install an antivirus program on devices

Heed the Storm

There are many more “wake-up calls” concerning healthcare and security that we might list; these are just a start. Times like these call for deeper reflection, even a willingness to change our own personal status quo. 

Protecting patients is a holistic enterprise; we contribute to their well-being when we recognize how they can be damaged not just by an invisible virus, but also by those who would exploit their identity and personal data. 

HIPAA Vault is the leading provider of HIPAA-compliant solutions, enabling healthcare providers, business organizations, and government agencies to secure their protected health information from data breaches, threats, and security vulnerabilities. Customers trust HIPAA Vault to mitigate risk, actively monitor and protect their infrastructure, and ensure that systems stay online at all times.

Stephen Trout Headshot

Stephen is an award-winning writer with a depth of experience in healthcare security and HIPAA compliance. In addition to writing for HIPAA Vault, his work has been published in Security Magazine, New England Society for Healthcare Communications, and others. Stephen has a degree in Engineering from Temple University, and can be reached at strout@hipaavault.com.