Five steps to ensuring the protection of patient data and ongoing risk management.
Maintaining security and compliance with HIPAA, the Health Insurance Portability and Accountability Act, is growing ever more challenging. The networks that house protected health information (PHI or ePHI) are becoming larger and more complex — especially as organizations move data to the cloud. At the same time, security professionals are faced with an evolving threat landscape of increasingly sophisticated threat actors and methods of attack.
For example, 2018 threat intelligence research by AT&T Alien Labs reports a rise in the number of targeted ransomware attacks in the healthcare sector. These attacks are often backed by organized criminals who see opportunities for making money from health care providers and other similar entities who must protect and keep assets, systems, and networks continuously operating.
One such criminal group operating the SamSam ransomware is thought to have earned more than $5 million dollars by manually compromising critical healthcare networks. And, according to AlienVault Labs, the methods used by SamSam are more akin to a targeted attack than typical opportunistic ransomware.
To help address these security challenges and ensure adherence to compliance mandates, security and IT professionals should consider how people, processes, and technology can be used together to create a holistic IT security compliance program that simplifies preparation, auditing and reporting, as well as ongoing security risk management and breach monitoring and response. Here’s a five-step HIPAA compliance checklist to get started.
Certification and Ongoing HIPAA Compliance
HIPAA sets the standard for protecting sensitive patient data. Any entity that deals with protected health information must ensure that all the required physical, network, and process security measures are in place and followed. In 2009, the Health Information Technology for Economic and Clinical Health (HITECH) Act was adopted to promote the “meaningful use of health information technology” and address the privacy and security concerns associated with the electronic transmission of health information. Although there is no standard or implementation specification that requires a covered entity to “certify” compliance, the evaluation standard § 164.308(a)(8) requires covered entities to perform ongoing technical and non-technical evaluations that establish the extent to which their security policies and procedures meet the security requirements. Evaluations can be performed and documented internally or by an external organization that provides evaluation or “certification” services. However, HITECH requires the HHS Office for Civil Rights (OCR) to conduct periodic audits of covered entities and business associates for compliance with the HIPAA Privacy, Security, and Breach Notification Rules.
Step 1: Start with a comprehensive risk assessment and gap analysis
Your compliance strategy should start with a solid foundation, which is why the first step in your journey to HIPAA compliance should be a readiness assessment that includes a comprehensive risk and compliance analysis of your electronic health record (EHR) environment. This assessment is often best done by a third party with expertise in healthcare security and compliance, as HIPAA regulations can be confusing and cumbersome. Using a third party with the necessary expertise will ensure you don’t miss or misunderstand the required regulations, and it will save you time as they will likely have a HIPAA checklist to reference.
Your consultant can perform an initial evaluation of your entire security program to determine its adherence to HIPAA regulations and the level of readiness to proceed with the “certification” process. It’s worth noting that the OCR does not actually “certify” HIPAA compliance (see side bar), however there are organizations outside of the OCR that do provide “certification” services, and many organizations take advantage of these certification services to prove compliance. As a result of the evaluation, your consultant should provide a comprehensive report that may include such things as:
- Your organization’s current security and compliance posture compared to the requirements established by the OCR Audit Protocol (including the HIPAA Privacy Rule, Security Rule and the Breach Notification Rule).
- Prioritized recommendations for risk remediation.
- A road map outlining the steps and initiatives to achieve compliance and “certification”.
According to the OCR, organizations that have aligned their security programs to the National Institute for Standards and Technology (NIST) Cybersecurity Framework may find it helpful as a starting place to identify potential gaps in their compliance with the HIPAA Security Rule. Addressing these gaps can bolster compliance with the Security Rule and improve the organization’s ability to secure ePHI and other critical information and business processes. Read how NIST “maps” to the HIPAA Security Rule in the HIPAA Security Rule Crosswalk to NIST Cybersecurity Framework.
Step 2: Remediate identified risks and address compliance gaps
Once you’ve identified your organization’s risks, take immediate steps to address the gaps within your security program. Again, a consultant who has practical experience in healthcare security will be very useful in providing strategic guidance, as well as advice on risk mitigation. Many organizations use the same consultant who performed their initial risk assessment.
Your consultant may develop specific programs, policies, standards, and procedures, as well as support or help implement key security practices and controls. For example, they may assist in prioritizing vulnerabilities and make recommendations for remediation in your EHR environment. Or, they may provide pre-packaged employee security awareness training that meets HIPAA guidelines, such as educating employees on security risks and running them through attack scenarios.
Make use of security technology to help you more quickly address the gaps in your compliance program — and consider platforms versus point solutions, giving you the ability to address multiple issues at once. Also, look for solutions that address both on-premises and multi-cloud environments as HIPAA regulations apply to both (see Guidance on HIPAA & Cloud Computing).
For example, look for such use cases as the automation of asset discovery and the ability to categorize those assets into HIPAA groups for easy management and reporting. Those same solutions may also perform vulnerability assessments, automate the prioritization of vulnerabilities for mitigation, and integrate with ticketing solutions to ensure the most critical are being remediated while overall risks are mitigated.
Step 3: Take advantage of automated compliance reporting
The evaluation standard of HIPAA requires covered entities to perform and document ongoing technical and non-technical evaluations to establish the extent to which their security policies and procedures meet the security requirements.
- Simplify and speed this process by taking advantage of automated compliance reporting.
- Look for solutions with predefined report templates for HIPAA, as well as other key regulations such as PCI DSS, NIST CSF, and ISO 27001.
- Consider ease-of-use, such as being able to define groups of assets — for example, a HIPAA group that includes sensitive assets connected to patient data or protected data.
- How easy it is to view, export, and customize the reports?
- What percentage of regulation coverage is included in predefined reporting?
Most solutions do not cover all the requirements defined by the HIPAA Audit Protocol, but they will give you a jump on your HIPAA checklist.
Many security management platforms also include additional predefined event reports, such as reports by data source and data source type, helping to make daily compliance monitoring and reporting activities more efficient.
Also, look for an intuitive and flexible interface that allows you to quickly search and analyze your security data, as well as the ability to create and save custom views and export them as executive-ready reports.
Finally, solutions that provide centralized visibility of your cloud and on-premises assets, vulnerabilities, threats, and log data from firewalls and other security tools are key to giving you the most complete and contextual data set for maintaining and documenting continuous compliance.
Step 4: Implement Monitoring and Breach Notification Protocols
The Breach Notification Rule, 45 CFR §§ 164.400-414, requires HIPAA covered entities and business associates to provide notifications if they experience a breach that involves unsecured protected health information.
Security management platforms can help to simplify and automate monitoring for breaches on your network, ensuring you are able to more quickly detect and contain a breach, as well as provide the required notifications.
As more organizations in healthcare are migrating data and applications to the cloud, make sure the technology you’re choosing offers advanced threat detection across both on-premises and multi-cloud environments. Simplify compliance management by choosing a solution that combines an array of essential security capabilities in one platform. These may include, but are not limited to: asset discovery, vulnerability assessment, intrusion detection, behavioral monitoring, endpoint detection and response, SIEM event correlation, file integrity monitoring (FIM), and log management. By combining these use cases in a single dashboard, you are better able to quickly identify, analyze, and respond to emerging threats that target your EHR environment.
Intelligence it key to threat detection and incident response, so consider vendors who have in-house research teams as well as access to external threat intelligence communities and other sources that can provide insight into the latest global threats and vulnerabilities — and in particular, those that are specific to healthcare.
However, intelligence without context will create lot of distracting “noise” for your team. So, check that the solution goes beyond just providing intelligence to incorporating it directly into your dashboard, including providing recommendations on how to respond to identified threats. With this intelligence and guidance at your fingertips, you can react quickly to the latest tactics, techniques, and procedures used by threat actors. And, you are assured of an always-up-to-date and optimally performing security monitoring solution.
Need more info on how to respond to a breach? See the HHS Quick Response Checklist.
Step 5: Continuously evaluate and manage risk
Whether you are managing ongoing HIPAA compliance internally or are using an external organization, avoid last-minute scrambling for annual evaluations and audits by employing a year-round risk management program. Such a program requires having real-time visibility of your environment, including system component installations, changes in network topology, firewall information, and product upgrades.
Use a unified platform to gain this visibility and enable monitoring in a central location (opposed to various point solutions). Here are a few examples of where a platform would be helpful for continuous risk and compliance management:
- Manage assets and risks
Examples: Use automated asset discovery for on-premises and cloud environments and then create asset groups such as business critical assets or HIPAA assets for ongoing monitoring, management and reporting. Identify systems with known vulnerabilities and use correlation rules to detect threats.
- Monitor access control; data security; information protection, processes and procedures; and protective technology
Examples: Monitor for successful and failed logon events to assets. Monitor for communications with known malicious IP addresses or use file integrity monitoring (FIM) to detect, assess and report on changes to system binaries, and content locations. Schedule vulnerability scans, automate assessments, and plan for mitigation. Review events and detected incidents.
- Detect anomalies and events; and ensure continuous security monitoring and detection processes
Examples: Aggregate events from across on-premises and multi-cloud environments. Classify threats based on their risk level. Monitor for stolen credentials, malware-based compromises such as communication to a known command and control (C&C) server, anomalous user and admin activities, file integrity, and vulnerabilities.
- Automate event and incident analysis; mitigation
Example: Automate forensics tasks to be executed in response to a detected threat and simplify forensics investigations with filters, search and reporting capabilities for event and log data. Automate actions to contain threats, such as isolating systems from the network.
- Automated reporting
Use out-of-the box reporting to document that you’ve made an accurate assessment of the risks and vulnerabilities to the confidentiality, integrity and availability of all electronic PHI — and to quickly show the status of technical controls that align to HIPAA or other regulations.
Maintaining adherence to HIPAA is no small feat considering the dozens of criteria that are considered in the HIPAA Audit Checklist. Attempting to manage your compliance program manually and without the help of expert healthcare security consultants will not only take up massive amounts of time, it could result in your team missing an essential component of the regulation, or worse yet, enduring a breach that compromises patient data or takes down the network. However, with the right mix of people, processes and technology, it’s not an impossible to stay on top of compliance management while ensuring your network is secure and patient data protected year-round.
HIPAA Privacy Rule: This Rule set national standards for the protection of individually identifiable health information by three types of covered entities: health plans, healthcare clearinghouses, and health care providers who conduct the standard healthcare transactions electronically.
HIPAA Security Rule: This Rule sets national standards for protecting the confidentiality, integrity, and availability of electronic protected health information. The Privacy Rule is located at 45 CFR Part 160 and Subparts A and E of Part 164 (e-PHI).
HIPAA Breach and Notification Rule: The HIPAA Breach Notification Rule, 45 CFR §§ 164.400-414, requires HIPAA covered entities and their business associates to provide notification following a breach of unsecured protected health information.