HIPPA and Healthcare Data Security

Just like other large organizations that store information electronically, healthcare companies are facing a growing challenge of protecting patient data from hackers, data thieves, and many other forms of online threats.

As an unfortunate example, Hollywood Presbyterian Medical Center (HPMC) recently paid $17,000 to hackers who had infected the hospital’s network. In the scheme of things, it was not a particularly sophisticated attack: the hackers simply uploaded a malware virus that encrypted the hospital’s Electronic Health Records (EHR). In order to access patient records and charts, hospital management was forced to pay the demanded ransom to get the encryption key. It could have been far worse, and far more expensive.

HPMC issued a public statement that made it clear that none of the EHR information had been misused or even accessed by unauthorized individuals. While this may sound reassuring, the reality is that if hackers were able to lock down the hospital’s EHR system, they were only a few keystrokes away from causing far more damage through the exposure of critical HIPPA protected data.

Payment was rendered in the form of bitcoins (40 were issued) making it virtually impossible to track and identify the hackers. Although at an equivalent value of about $17,000, this data breach wasn’t exactly cheap, it was certainly manageable.

Data Security Isn’t Just Protection From Malware

Beyond the threat of malicious attacks, both malware and otherwise, healthcare organizations must also comply with the regulations of HIPPA, the Health Insurance Portability and Accountability Act of 1996. As part of its mandate, HIPPA sets forth cyber security standards that healthcare organizations must adhere to in order to protect patient data.

According to the U.S. Department of Health and Human Services website, the security rule provision of HIPPA is as follows:

The HIPAA Security Rule establishes national standards to protect individuals’ electronic personal health information that is created, received, used, or maintained by a covered entity. The Security Rule requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information. 

HIPPA clearly requires that healthcare organizations protect their EHR but does not extend to other forms of sensitive information such as billing, insurance, and credit card information, all of which are part of the business side of healthcare services. So although HIPPA is very specific about how patient information is protected, its standards may not be enough to truly protect patients.

Healthcare organizations need to extend their cyber security provisions well beyond those mandated by HIPPA. As the HPMC case clearly demonstrates, cyber attacks can take different forms and create unpredictable and unforeseen outcomes. Although no patient records were directly tampered with at Hollywood Presbyterian, in addition to the ransom payment, the incident disrupted hospital operations for at least 10 days, with a significant resulting loss of revenue, not to mention the intangible cost of lost patient confidence in the organization.

Health organization employee information, although not covered by HIPPA, is also at risk from cyber assault. As an example, shortly after the Hollywood Presbyterian incident, a spreadsheet containing sensitive employee information was hacked from the Magnolia Health Corporation of Tulare, California by hackers who obtained the email address and security credentials of the organization’s CEO.

The data breach included the personal and payroll-related information for all of the Magnolia Health employees including social security numbers and detailed information about employment status and pay histories. This breach was not discovered for a week after it had occurred. As with the Hollywood Presbyterian incident, apart from the actual financial impact of dealing with a cyber security breach, the resultant loss in credibility and confidence that an organization suffers when an attack occurs is real.

So What Does Secure Data Really Mean for Healthcare Organizations?

Best-practice data security for healthcare organizations therefore consists of two major components. The first is HIPPA compliance. The second is true data security that protects all of the healthcare organization’s data from malicious attacks.

In terms of HIPPA compliance, the act has three major components, as follows:

1. Administrative Safeguards

2. Physical Safeguards

3. Technical Safeguards

Administrative Safeguards include nine standards that primarily cover security, access, and planning considerations. Compliance requires an audit of existing security measures, a risk assessment, and documentation of the associated solutions required for compliance.

The four elements of the Physical Safeguards requirements address how the facility is accessed, use and security of the workstations, as well as device and media controls. A major concern of the Physical Safeguards section are operational and contingency plans and procedures, security as mentioned above, as well as issues related to disposal of equipment and media, data backup, and accountability for management and maintenance of equipment.

Technical safeguards, which include five individual standards, deal with data integrity, access and audit controls, as well as transmission authentications and security.

It’s important to remember that one of the most important aspects of the HIPPA regulations is the establishment and maintenance of patient privacy. The Act is intended to ensure that patient medical records at all times remain both confidential and private. The regulations do not account for business records or other personal information that the healthcare organization maintains in order to do business.

For that reason, HIPPA compliance should be viewed as only the first step in a comprehensive healthcare organizational data security plan. If it sounds obvious, unfortunately it’s not. Many organizations develop a false sense of security when they are in compliance with HIPPA regulations and essentially ignore the other potential risks they are facing.

But cyber security is not an IT problem — it’s an organizational problem of massive and mission-critical importance. Failure to tackle the ongoing and ever-increasing challenges to a healthcare organization’s data security puts the organization at tremendous risk.

This is where an outside service provider with specific expertise in healthcare cyber security can provide tremendous value. An outside vendor can take a fresh look at the organizational structure to ferret out weaknesses and improve the overall functionality of the data security environment. Using qualified and experienced outside resources is one sure way to see not only the entire system, but the individual components and aspects of that system and to evaluate them independently, without bias or preconceived notions. A security firm’s only business is to understand the deep details and operational requirements of a fully functional and robust cyber security program, and when it comes to protecting the sensitive information of vulnerable patients, it is best to consult with a firm that specializes in healthcare cyber security.