Cybersecurity is one of the top concerns in the U.S. healthcare industry today. Cyberattacks do not only negatively impact the businesses in healthcare, but it also compromises the security and privacy of patients’ data. Unfortunately, basic measures were not making the cut and forced federal agencies to pass a new law called the HIPAA Safe Harbor Bill.

The HIPAA Safe Harbor bill aims to incentivize and encourage organizations for best practice security and cybersecurity measures. However, today, we are not going to talk about the new act. In this article, I will explain how efforts towards HIPAA compliance can improve healthcare data security and reduce cybersecurity risks. 

Why is HIPAA important?

Even a tiny hole in a hospital’s network can expose sensitive patient data and cause severe problems. Healthcare data are often the prime target for cybercriminals for malicious purposes as they can easily exploit the information. Encrypted Electronic Health Records (EHRs) can be made useless by hackers. And medical records contain valuable information that can be sold all across the world. 

In the U.S., healthcare organizations and other businesses that maintain patient’s healthcare data must protect the information they receive, create, or use. The guidelines and requirements are set forth by HIPAA, the acronym for the Health Insurance Portability and Accountability Act. To comply with the law, organizations must implement a variety of safeguards to protect sensitive health information without the patient’s knowledge or consent. 

With the advent of computers and internet connectivity, organizations must protect sensitive patient data against the unwelcome eyes of hackers, spammers, identity thieves, and others. 

The HIPAA Security Rule Safeguards

The HIPAA Security Rule is specifically designed to protect medical records in digital forms called electronically protected health information (ePHI). On that note, let’s take a look at the security safeguards set forth under this rule.

From the management perspective, the administrative approaches to the privacy and cybersecurity issues:

• Security management process: This step involves risk analysis, risk management, and information system activity review.
• Workforce security: This involves assigning one or more officers that are responsible for authorization and/or supervision, workforce clearance procedures, and termination procedures.
• Information access management deals with the level of access to ePHI, access establishment, and modification.
• Security and awareness training: This involves providing appropriate and adequate training to employees, including security reminders, protections from malicious software, login monitoring, and password management. 
• Contingency plans involve having a data backup, disaster recovery, and emergency mode operation plans.

Physical workplace security to enable cybersecurity and privacy measures in place to operate efficiently:

• Facility access control: This involves having proper security in workplaces to limit physical access, validation procedures, and maintenance records.
• Workstation use and security: Policies and procedures involving correct use of workstations and what to do when they are idle.
• Device and media controls involve policies and procedures for the transfer, disposal, removal, and re-use of electronic media.

Technical security measures are essential to limit unauthorized access to ePHI, which includes:

• Access control involves having unique user identification, emergency access procedures, automatic logoff, and encryption and decryption.
• Audit controls: This deals with hardware, software, and procedural mechanisms for recording and examining activities.
• Integrity controls involve having mechanisms designed to authenticate electronic personal health information (e-PHI).
• Transmission security involves encrypting data and implementing integrity controls to safeguard ePHI during transmission.

What’s outside HIPAA?

In addition to the aforementioned measures, healthcare organizations are also recommended to follow guidelines set forth by the National Institute of Standards and Technology (NIST) which is called “Framework for Improving Critical Infrastructure Cybersecurity.” 

The framework is made up of three components: Framework Core, Framework Profile, and the Framework Implementation Tiers.

Essentially, the Framework Core provides a set of cybersecurity guidelines that are common to most organization’s critical infrastructure. With that information, individual organizational Framework Profiles are developed. And finally, the Framework Implementation Tiers gives the organization a good understanding of how it aligns its cybersecurity activities with its needs, tolerances, and resources.

Both NIST’s and HIPAA’s guidelines can help reduce cybersecurity risks for any healthcare provider or organization. But the hard reality is that not many organizations want to invest too much in cybersecurity. And hence, when they fall victims to these attacks, they face massive amounts of loss. The more budget and resources are into IT infrastructure and security personnel, the more likely it is for organizations to fare against cyber threats that inevitably come along.