Can you have a Ransomware attack if you are HIPAA-compliant?

Explore the ways Ransomware can infiltrate a HIPAA-Compliant organization and learn ways to prevent it

Image on Ransomware Attack even if you are HIPAA CompliantThe short answer: Yes

 

The in-depth answer: The Health Insurance Portability and Accountability Act (HIPAA) sets the minimum standards for protecting sensitive patient health information (PHI). The Department of Health and Human Services (HHS) regulates HIPAA compliance, while the Office for Civil Rights (OCRenforces it. The OCR regularly publishes recommendations on new issues affecting healthcare and investigates common HIPAA violations on a regular basis. However, a HIPAA-compliant organization can still be a target for a ransomware attack. Despite having advanced cybersecurity measures in place to comply with HIPAA, no organization is fully impervious to all cyber threats.

Ransomware Attacks in a HIPAA-compliant Organization

 

HIPAA regulations mandate that healthcare providers protect the privacy and security of patient’s health information. This involves implementing safeguards such as access controls, audit controls, integrity controls, and transmission security. However, these measures primarily focus on ensuring data privacy and security, and although they can help reduce the risk of ransomware attacks, they do not eliminate it completely.

 

Ransomware is malicious software that encrypts the victim’s data. Hackers demands a ransom to restore access to the data once they are paid. They also have the ability to modify the data and sell it, even if they are paid the ransom amount. This leads to serious complications in the Healthcare Industry since their data is targeted due to its critical importance for its high value. Even with HIPAA-compliant measures in place, organizations can fall victim to ransomware attacks via various methods:

  1. Not implementing addressable safeguards:

    Organizations tend to overlook implementing addressable safeguards outlined in the HIPAA Security Rule. These safeguards focus on Authorization / Supervision, Workforce Clearance Procedures, Termination Procedures, Access Authorization, Security Reminders, Log-in Monitoring, Password Management, Protection from Malicious Software, Testing Contingency Plans, etc. Due to this oversight, their systems have vulnerabilities that can be exploited through a targeted cyber attack.

  2. Phishing attacks:

    One of the most common ways attackers can breach security defenses is through phishing emails. These emails trick employees into clicking on malicious links or attachments that install ransomware on the network.

  3. Insufficient Backup and Recovery Systems:

    HIPAA requires that covered entities have backup and disaster recovery measures in place. However, if these measures are not adequately and continuously maintained, tested, and updated, ransomware can infect not only the primary data systems but also backup systems, making data recovery impossible without paying the ransom.

  4. Incomplete or Inadequate Implementation of HIPAA Standards:

    Compliance doesn’t always mean complete protection. Organizations may meet the letter of the law without effectively securing all possible points of vulnerability. For instance, they might overlook the security of medical devices, partner networks, or other systems that connect to their main network.

  5. Exploiting software vulnerabilities:

    Cybercriminals often exploit known vulnerabilities in software applications that are not patched or updated regularly. Through these vulnerabilities, they gain unauthorized access and deploy ransomware.

  6. Insider threats:

    Employees, vendors, or other insiders with malicious intent or those who are simply careless may inadvertently expose the organization to ransomware attacks deliberately.

  7. Brute force attacks:

    In this method, attackers try numerous combinations to guess passwords and gain access to systems or networks. Once they are in, they install ransomware and infiltrate the entire network.

  8. Advanced Persistent Threats (APTs):

    These are long-term targeted attacks where cybercriminals infiltrate networks to mine data or disrupt services. They can plant ransomware and activate it at the most opportune moment. For example, zero-day exploits take advantage of security vulnerabilities that are unknown to the organization and the public. Such vulnerabilities are thus unpatched, making them a lucrative target for attackers.

  9. Network vulnerabilities:

    Weaknesses in network security, such as unsecured Wi-Fi networks or inadequate firewall protection, can create entry points for ransomware.

  10. Physical breaches:

    Access to physical machines (like a stolen laptop that has not been encrypted) can also lead to a breach. HIPAA requires physical safeguards, but like all security measures, they’re not 100% foolproof.

This list is not exhaustive, and HIPAA compliance can help mitigate these risks through required security measures like regular risk assessments, encryption of electronic protected health information (ePHI), maintaining updated and patched systems, and conducting regular staff training on cybersecurity best practices.

However, the cyber security challenges that organizations face are dynamic. They need a comprehensive approach to cybersecurity that goes beyond just HIPAA compliance. This might involve extensive and customized employee training to recognize phishing attempts, regular audits, and penetration tests to identify and patch vulnerabilities, the use of advanced threat detection and response systems, and robust, isolated backup systems to ensure data can be restored in the event of a ransomware attack. In addition, establishing an incident response plan can help minimize damage if an attack occurs.

Despite all these measures, it’s important to remember that no organization can be completely immune to ransomware attacks. Therefore, continuous improvement of your security posture and preparedness for potential attacks is critical.

In the event of a ransomware attack, HIPAA mandates specific steps and reporting procedures, including notifying affected individuals, the Department of Health and Human Services, and potentially the media depending on the scale of the breach. Therefore, compliance does not guarantee the prevention of attacks, but it does establish a strong foundation for preventing, detecting, and responding to such cyber threats, thereby reducing the possibility of risks in the long run.

 

How databrackets can help you create a secure IT infrastructure

Experts at databrackets have extensive experience working with Healthcare Providers, Cyber Liability Insurance Providers, Managed Service Providers (MSPs), FDA Regulated industries etc. Our services range from Security Risk Analysis, HIPAA compliance, Pen Testing & Vulnerability Scans, Implementation of Cyber Security Technology, Managed Security Services, and Security Risk Analysis for MIPS, among others.

Our team has supported organizations across a wide variety of industries to align their processes with security frameworks like HIPAA, 21 CFR Part 11, ISO 27001SOC 2, NIST SP 800-53NIST Cybersecurity FrameworkNIST SP 800-171GDPRCMMC etc.

We are constantly expanding our library of assessments and services to serve organizations across industries. Schedule a Consultation if you would like to Connect with an Expert to understand how we can customize our services to meet your specific requirements.

Related Links

Sources of Ransomware Attacks on Healthcare Systems

Protect your DICOM from Cyber Attacks

Security Tech Investments for Top 10 trends in 2023

How to Select a Security Vendor

Author: Aditi Salhotra, Digital Marketing and Business Development, databrackets.com

Aditi is a Digital Marketing and Business Development Professional at databrackets.com. She graduated with honors in Marketing from Sheridan College, Canada. In addition to her current profile, she contributes to Product Development and Content Creation. She is a strong advocate of Good Cyber Hygiene and white hat SEO techniques. She is proud of the company’s mission to safeguard organizations from cyber threats and ensure their business continuity in adverse situations. 

Technical Expert: Srini Kolathur, Director, databrackets.com

The technical information presented in this blog has been carefully reviewed and verified by our Director, Srini Kolathur. Srini is results-driven security and compliance professional with over 20 years of experience supporting, leading, and managing global IT security, compliance, support, and risk assessment in fortune 100 companies. Some of his key areas of focus are SOC 2, ISO 27001, NIST 800-171, NIST 800-53, NIST Cybersecurity Framework,  HIPAA, Security Risk Assessment, CMMC 2.0 among others. He is a CMMC Registered Practitioner (RP), CISSP, CISA, CISM, MBA. He is active in several community groups including Rotary International and TiE.

Sources of Ransomware Attacks on Healthcare Systems

Work with a checklist of potential sources of Ransomware attacks on Healthcare systems and connect with experts to help you prevent a data breach

Image on how ransomware enters Healthcare SystemsA cohort study published in The Journal of the American Medical Association in December of 2022 revealed that Ransomware attacks targeting Healthcare delivery organizations more than doubled from 2016 to 2021. This exposed the Personal Health Information of nearly 42 million patients. During the study period, it was observed that Ransomware attacks were more likely to target large organizations with multiple facilities.

Healthcare systems are usually targets of Ransomware attacks due to their critical importance and the high value of their data. Therefore, Healthcare providers and their vendors (including business associates and subcontractors) must maintain strong cybersecurity defenses and best practices, use advanced threat detection tools and mitigate the unrelenting risk of Ransomware attacks. While benchmarks under the Health Insurance Portability and Accountability Act (HIPAA) are mandatory, hackers have found ways to create loopholes in HIPAA-compliant systems, embed Ransomware, and trick users (usually employees of Healthcare providers and their vendors) into downloading it.

How Ransomware Enters Healthcare Systems

Ransomware, one of the most malicious software, can enter Healthcare systems in several ways. Hackers usually look for a loophole or create one through a single user’s computer and then infiltrate the network and spread it to other devices. Once Ransomware spreads, the data in the core systems are encrypted using unique keys that are known only to the hackers. Unless the hackers get compensated, the data in the core systems is unusable by the healthcare systems. This severely impacts service delivery and patient care.

There are several ways they can use to enter a healthcare provider, business associate, vendor or, subcontractor’s systems. This includes, but is not limited to:

1. Phishing Emails:

One of the most common methods for Ransomware to enter an IT infrastructure is through phishing emails. These are emails disguised as legitimate, often impersonating a trusted sender like HR, professionals working in the Billing / Finance department, Vendors, or trusted senders from other departments. The emails contain malicious links or attachments. Once an employee clicks on the link or downloads the attachment, the Ransomware can infect their computer and spread to other systems in the network.

2. Malvertising and drive-by downloads:

Malvertising involves injecting malicious code into online advertising networks. When a user clicks on an infected ad, the Ransomware is downloaded onto their system. Drive-by downloads are similar but happen on compromised websites or even legitimate ones with a security weakness.

3. Exploiting vulnerabilities in outdated software or hardware:

Attackers often exploit security vulnerabilities in software or hardware that haven’t been patched or updated regularly. These vulnerabilities can be in operating systems, applications, databases, network equipment, and medical devices. When security patches are released to fix these vulnerabilities, organizations need to update their systems promptly to protect them.

4. Social Engineering:

This involves manipulating individuals into performing actions or divulging confidential information that can be used to gain unauthorized access to systems or data. It could be a phone call or an online interaction, convincing someone to install a file with Ransomware. Common examples include Pretexting, Baiting, and Tailgating.

5. Third-party vendor attacks:

In this method, attackers compromise a trusted software vendor’s system and insert their Ransomware into software updates. When the healthcare organization installs the infected update, the Ransomware enters its system.

6. Remote Desktop Protocol (RDP) attacks:

RDP is a protocol that allows one computer to connect to another over a network. If an attacker can guess or crack the login credentials for an RDP session, they can install Ransomware on the remote system. This is especially problematic in healthcare settings where RDP is commonly used for telemedicine and remote patient monitoring.

7. Removable Media:

Ransomware can spread through infected USB drives, CDs, or other removable media.

8. Internet of Things (IoT)/Medical Devices:

As healthcare increasingly utilizes connected devices, these devices become targets. Many IoT/medical devices lack robust security, making them an attractive entry point for attackers.

This list is not exhaustive, and there is only one certainty in the field of Ransomware attacks – Hackers continue to find innovative ways to infiltrate healthcare systems. Vendors who directly and indirectly work with Healthcare providers in the US need to be HIPAA compliant. However, following the benchmarks set by HIPAA doesn’t guarantee that your systems will not be vulnerable to a targeted or ransomware attack. We have explored this at length in our blog, ‘Can a HIPAA-compliant Healthcare provider be attacked using Ransomware?’(Easwari-hyperlink to the blog)

Stay tuned for ways to Mitigate the Risk of Ransomware in Healthcare.

How databrackets can help you create a secure IT infrastructure

Experts at databrackets have extensive experience working with Healthcare Providers, Cyber Liability Insurance Providers, Managed Service Providers (MSPs), Business Associates & Subcontractors of Healthcare Providers, and Pharmaceutical and other FDA Regulated industries. Our services range from Security Risk Analysis, Pen Testing & Vulnerability Scans, Implementation of Cyber Security Technology, Managed Security Services, HIPAA compliance, and Security Risk Analysis for MIPS, among others.

Our team has supported organizations across a variety of other industries to align their processes with security frameworks like HIPAAISO 27001SOC 2, NIST SP 800-53NIST Cybersecurity FrameworkNIST SP 800-171GDPRCMMC21 CFR Part 11, etc.

We constantly expand our library of assessments and services to serve organizations across industries. If you would like to Connect with an Expert to understand how we can customize our services to meet your specific requirements, do not hesitate to Schedule a Consultation.

Related Links

Can a HIPAA compliant Healthcare provider be attacked using Ransomware

Protect your DICOM from Cyber Attacks

Security Tech Investments for Top 10 trends in 2023

How to Select a Security Vendor

Author: Aditi Salhotra, Digital Marketing and Business Development, databrackets.com

Aditi is a Digital Marketing and Business Development Professional at databrackets.com. She graduated with honors in Marketing from Sheridan College, Canada. In addition to her current profile, she contributes to Product Development and Content Creation. She is a strong advocate of Good Cyber Hygiene and white hat SEO techniques. She is proud of the company’s mission to safeguard organizations from cyber threats and ensure their business continuity in adverse situations. 

Technical Expert: Srini Kolathur, Director, databrackets.com

The technical information presented in this blog has been carefully reviewed and verified by our Director, Srini Kolathur. Srini is results-driven security and compliance professional with over 20 years of experience supporting, leading, and managing global IT security, compliance, support, and risk assessment in fortune 100 companies. Some of his key areas of focus are SOC 2, ISO 27001, NIST 800-171, NIST 800-53, NIST Cybersecurity Framework,  HIPAA, Security Risk Assessment, CMMC 2.0 among others. He is a CMMC Registered Practitioner (RP), CISSP, CISA, CISM, MBA. He is active in several community groups including Rotary International and TiE.

What is the HIPAA Security rule?

Explore the Administrative, Physical and Technical safeguards under the HIPAA Security Rule & the difference between addressable and required safeguards.

HIPAA Security Rules Infographics

The HIPAA Security rule applies to covered entities, business associates, subcontractors – anyone or any system with access to confidential patient data. Every organization in the healthcare delivery ecosystem must adhere to this rule because of the potential sharing of Electronic Protected Health Information (ePHI). This rule contains the standards organizations must follow to protect electronically created, accessed, processed, or stored PHI (ePHI). These standards apply to ePHI when it is at rest and in transit. It clarifies the physical, administrative, and technical safeguards that organizations must implement. The HIPAA security rule focuses on managing access and interprets it as having the means necessary to read, write, modify, or share ePHI or any personal identifiers that may reveal the patient’s identity.

Organizations are required to document their adherence to these standards and safeguards in their HIPAA Policies and procedures. They also need to ensure that staff members are trained annually on these policies and procedures and maintain documentation to prove this. 

  i) What is the difference between addressable and required safeguards ? 

Under HIPAA, safeguards are either ‘Required’ or ‘Addressable.’ ‘Required’ safeguards must be implemented, while ‘Addressable’ safeguards have some level of flexibility. If a covered entity is unable to implement an addressable safeguard, they can implement an appropriate alternative or not introduce the safeguard altogether. This decision depends on the organization’s risk analysis, risk mitigation strategy, and the other security measures they have implemented. The organization is required to carefully document all the factors leading up to the decision along with the results of the risk assessment on which the decision was based.

Addressable safeguards should not be interpreted as optional. Due to the dynamic nature of technology, complexity and cyber attacks, addressable safeguards may become required. We recommend implementing most of the controls. Physical safeguards, in some cases, can be addressable if ePHI is stored on the cloud. However, most controls are critical for maintaining security.

  ii) What are Administrative Safeguards under the HIPAA Security rule?  

Administrative Safeguards are the cornerstone of HIPAA Compliance. They are the policies and procedures that connect the Privacy Rule and the Security rule. A critical administrative safeguard is the appointment of a Security Officer and a Privacy Officer to ensure the security measures are in place to protect ePHI and staff members follow them. 

Organizations are required to conduct a risk assessment before planning their policies and procedures and on a regular basis once they are implemented. This assessment is usually reviewed in a HIPAA audit to ensure it is ongoing and comprehensive. It is important to plan this annually and assess the organization’s level of risk and HIPAA compliance.

Administrative Safeguards – HIPAA Security rule
Safeguard
Required / Addressable
Action
Risk Assessment
Required
Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the PHI being created, used, and stored
Risk Management Policy
Required
Implement security measures to reduce risks and vulnerabilities to a reasonable and appropriate level
Sanctions Policy
Required
Create and implement a ‘Sanctions Policy’ to outline sanctions against workforce members who fail to comply with organizational security policies and procedures
Information System Activity Review
Required
Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports
Assigned Security Responsibility
Required
Assign the responsibility of maintaining security to a security official who will be accountable for the development and implementation of policies and procedures
Authorization / Supervision
Addressable
Implement procedures to authorize and supervise staff members who access PHI
Workforce Clearance Procedure
Addressable
Implement procedures to verify if an employee’s access to PHI is appropriate
Termination Procedures
Addressable
Implement procedures for terminating access to PHI when an employee leaves the organization
Isolating Health care Clearinghouse Function
Required
If a health care clearinghouse is part of a larger organization, the clearinghouse must implement policies and procedures that protect their ePHI from unauthorized access by the larger organization
Access Authorization
Addressable
Implement policies and procedures for granting access to ePHI, for example, through access to a designated workstation
Access Establishment and Modification
Addressable
Based on access authorization policies, create and implement procedures to establish, document, review, and modify a user’s right of access to a workstation, transaction, program, or process
Security Reminders
Addressable
Set up periodic security updates
Protection from Malicious Software
Addressable
Implement procedures for detecting and reporting malicious software
Log-in Monitoring
Addressable
Implement procedures to monitor log-in attempts and report discrepancies
Password Management
Addressable
Implement procedures for creating, changing, and safeguarding passwords
Response and Reporting
Required
Identify and respond to suspected or known security incidents; mitigate any known harmful effects of security incidents to the extent possible; and document security incidents and their outcomes
Data Backup Plan
Required
Establish and implement procedures to create and maintain retrievable exact copies of ePHI
Disaster Recovery Plan
Required
Establish (and implement as required) procedures to restore any loss of data
Emergency Mode Operation Plan
Required
Establish procedures to ensure business continuity and protect ePHI while operating in emergency mode
Testing Contingency Plans
Addressable
Implement procedures to test and update contingency plans periodically
Criticality Analysis of Applications and Data
Addressable
Assess the relative criticality of specific applications and data which support other contingency plan components
Business Associate Contracts and Other Arrangements
Required
Ensure that BAAs and all other arrangements with vendors are signed and updated
Security Awareness Training for employees
Required
All organizations covered under HIPAA are required to train their employees and ensure they are aware of the policies and procedures governing access to ePHI. They must also be taught to identify malicious software attacks and malware. Training must be conducted annually, and all records must be maintained.

  iii) What are Technical Safeguards under the HIPAA Security rule? 

Technical Safeguards are related to the technology used to protect ePHI and provide access to the data. These should be reviewed by the IT Department of an organization covered under HIPAA (Covered entities, business associates, and subcontractors).

Technical Safeguards – HIPAA Security rule
Safeguard
Required / Addressable
Action
Unique User Identification
Required
Assign a unique name and/or number for identifying and tracking user identity
Emergency Access Procedure
Required
Establish procedures to obtain ePHI during an emergency
Automatic Logoff
Addressable
Implement electronic procedures that terminate an electronic session after a predetermined time of inactivity
Encryption and Decryption
Addressable
Implement a method to encrypt and decrypt ePHI
Audit Controls
Required
Implement hardware, software, and/or procedural mechanisms to record and examine the activity in information systems that contain or use ePHI
Mechanism to Authenticate Electronic PHI
Addressable
Implement electronic mechanisms to corroborate that ePHI has not been altered or destroyed in an unauthorized manner
Person or Entity Authentication
Required
Implement procedures to authenticate the personnel who are authorized to work with ePHI
Integrity Controls – Transmission Security
Addressable
Implement security measures to ensure that electronically transmitted PHI is not improperly modified without detection until it is disposed of

  iv) What are Physical Safeguards under the HIPAA Security rule? 

ePHI can be stored in a data center in a remote location, in the cloud, or on on-prem servers within the organization’s premises. Physical Safeguards focus on direct physical access to ePHI irrespective of where it is stored. They outline guidelines to secure workstations and mobile devices against unauthorized access. 

Technical safeguards emphasize encryption as per NIST standards to protect ePHI at rest and in transit once it crosses the organization’s internal firewalled servers. This ensures that any data breach renders the data unreadable, undecipherable and unusable. While this is a required safeguard, organizations can select the most appropriate mechanism.

Physical Safeguards – HIPAA Security rule
Safeguard
Required / Addressable
Action
Contingency Operations
Addressable
Establish procedures that permit facility access to restore lost data in an emergency. These procedures should be in accordance with the disaster recovery plan and emergency mode operations plan
Facility Security Plan
Addressable
Implement policies and procedures to safeguard the facility and the equipment therein from unauthorized physical access, tampering, and theft
Access Control and Validation Procedures
Addressable
Implement procedures to control and validate a person’s access to facilities based on their role or function, including visitor control, and control of access to software programs for testing and revision
Maintenance Records
Addressable
Implement policies and procedures to document repairs and modifications to the physical components of a facility that are related to security like the hardware, walls, doors, and locks
Workstation Use
Required
Implement policies and procedures to specify the functions to be performed, the manner in which those functions are to be performed, and the physical attributes of the surroundings of a specific workstation or class of workstation that can access ePHI
Workstation Security
Required
Implement physical safeguards for all workstations that access electronic PHI to restrict access to unauthorized users
Disposal of Device and Media Controls
Required
Implement policies and procedures to address the final disposition of ePHI and/or the hardware or electronic media on which it is stored
Media Re-use
Required
Implement procedures for removing ePHI from electronic media before the media are made available for reuse.
Accountability of Device and Media Controls
Addressable
Maintain a record of the movements of hardware, electronic media, and any person responsible for them
Data Backup and Storage
Addressable
Create a retrievable, exact copy of ePHI before moving equipment in which it is stored

If you are looking for support to understand how to implement the HIPAA Security Rule and would like to connect with a HIPAA Expert, please get in touch us for a free consultation. If you are looking for a convenient Do-It-Yourself HIPAA Attestation Kit, you can sign up for a free trial.

Related Links:

HIPAA

Rules of HIPAA Compliance

Protected Health Information (PHI)

What are the rules of HIPAA Compliance?

Explore the basics of 5 main HIPAA Rules - HIPAA Security Rule, HIPAA Privacy Rule, HIPAA Breach Notifications Rule, HIPAA Enforcement Rule & HIPAA Omnibus Rule

databrackets Infographics on Rules of HIPAA ComplianceThe Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a set of mandatory standards for all organizations that work with Protected Health Information (PHI) of US Residents. It applies to all Healthcare Providers, Business Associates (Vendors of Healthcare Providers), Healthcare SaaS companies, subcontractors, etc. The scope and applicability of the Act have been amended since 1996 to include additional rules.

The Office for Civil Rights (OCR) enforces HIPAA, while the Department of Health and Human Services (HHS) regulates HIPAA compliance. To ensure that businesses are informed of best practices, the OCR regularly publishes recommendations on new issues affecting healthcare. It also investigates common HIPAA violations on a regular basis.

The Rules of HIPAA Compliance are:

  1. HIPAA Privacy rule
  2. HIPAA Security rule
  3. HIPAA Enforcement rule
  4. HIPAA Breach Notification rule
  5. HIPAA Omnibus rule

HIPAA Privacy Rule: This rule mandates appropriate safeguards to protect the privacy of PHI and ensures that patient data cannot be used or disclosed without patient authorization. It gives patients and their nominated representatives rights over their PHI, including the right to obtain a copy of their health records or  examine them – and the ability to request corrections if required.

HIPAA Security Rule: This rule outlines the standards that covered entities, business associates, and subcontractors must follow to protect PHI that is electronically created, accessed, processed, or stored. These standards are also intended for ePHI when it is at rest and in transit. The HIPAA Security Rule includes physical, administrative, and technical safeguards that organizations are required to implement.

HIPAA Breach Notifications Rule: This rule outlines the protocol that organizations must follow in case of a data breach containing ePHI or PHI. As per this rule, they are required to notify patients when there is a breach of their PHI. They also need to notify the HHS and issue a notice to the media if it affects more than 500 patients. Breach notifications must be made within 60 days and without unreasonable delay, following the discovery of a breach. For breaches involving less than 500 patients, they must conduct an investigation and report them through the OCR web portal. The OCR requires these reports on an annual basis.

 The HIPAA Enforcement Rule: This rule comes into effect after a breach of PHI or ePHI. Under this rule, the OCR investigates the breach and has procedures for hearings. Penalties may also be imposed on organizations responsible for the breach. Fines are imposed for each violation based on a tiered system. The total value of the fine is related to the number of records exposed in a breach. It also considers the risk due to the exposure of that data and the level of neglect that the organization permitted. Criminal charges may also be laid on organizations that knowingly deviate from HIPAA rules. Additionally, patients who are victims of a breach can also file civil lawsuits under this rule.

 HIPAA Omnibus Rule: The HIPAA Omnibus rule focuses on areas that previous HIPAA updates had overlooked. The most important addition made by this rule was the expansion of HIPAA compliance regulations to include business associates, and subcontractors. This rule also focuses on streamlining Business Associate Agreements (BAAs). A BAA is a contract that must be signed and implemented between covered entities, business associates and subcontractors before PHI or ePHI is shared or transferred.

 There are two additional HIPAA rules which focus specifically on electronic data.

a) HIPAA Transactions and Code Set rule: This rule ensures a uniform way to exchange PHI between entities in the healthcare delivery ecosystem based on electronic data interchange (EDI) standards. It is used for all healthcare-related digital transactions.

b) HIPAA Unique Identifiers rule: This rule focuses on Identifier Standards for Employers and Providers. It requires employers and healthcare providers to have standard national numbers to identify them instead of their business names and other identifiers.

If you are looking for support to understand how HIPAA compliance rules apply to your organization and would like to connect with a HIPAA Expert, don’t hesitate to get in touch with us for a free consultation. If you are looking for a convenient Do-It-Yourself HIPAA Attestation Kit, you can sign up for a free trial.

Related Links:

HIPAA

What is Protected Health Information (PHI)?

Who is Covered under HIPAA?

What is Protected Health Information (PHI)?

Explore the 18 HIPAA Identifiers that constitute PHI or Protected Health Information under HIPAA & learn about de-identifying health data to reduce risk

HIPAA stands for the Health Insurance Portability and Accountability Act of 1996. It is a set of mandatory standards to manage the use and disclosure of healthcare data, known as Protected Health Information or PHI. Complying with HIPAA is mandatory for all Healthcare Providers, Business Associates (Vendors of Healthcare Providers), Healthcare SaaS companies, and any Organization that directly or indirectly works with PHI. HIPAA has been amended to include additional rules that expand its scope and applicability.

The Office for Civil Rights (OCR) enforces HIPAA, while the Department of Health and Human Services (HHS) regulates HIPAA compliance. The OCR regularly publishes recommendations on new issues affecting healthcare and investigates common HIPAA violations on a regular basis.

Protected Health Information (PHI)

Any identifiable health-related data used, stored, maintained, or shared by an entity is considered PHI. It covers every aspect of a patient’s information. The HHS has identified 18 HIPAA identifiers. They are:

databrackets Infographics on PHI Identifiers for HIPAA

HIPAA rules are focused on protecting PHI – HIPAA Security rule, HIPAA Privacy rule, HIPAA Breach Notification rule, HIPAA Omnibus rule and HIPAA Enforcement rule. There are specific safeguards and guidelines under each rule to ensure that Protected Health Information is handled with utmost care.

Organizations that are covered under HIPAA  can avoid penalties, fines, and jail time for violating these HIPAA rules by ‘De-identifying PHI’. De-identification implies disassociating a patient from their health information. Once it is de-identified, the data set is no longer covered under HIPAA. The organization continues to be covered under HIPAA, but this security measure significantly reduces its risk. The HHS recommends 2 methods to de-identify health data.

If you are looking for support to implement or evaluate your level of HIPAA Compliance, or if you have any questions about HIPAA compliance and would like to connect with a HIPAA Expert, please get in touch with us for a free consultation. If you are looking for a convenient Do-It-Yourself HIPAA Attestation Kit, you can sign up for a free trial.

Related Links:

HIPAA

Who is covered under HIPAA?

7 Benefits of HIPAA Compliance

Who is covered under HIPAA?

Who needs to be HIPAA compliant? Explore the types of organizations covered under HIPAA and the ways in which they are required to maintain compliance

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is applicable to all entities in the Healthcare Industry. It outlines the rules and regulations with regard to the use and disclosure of protected health information (PHI) by organizations in the industry. The Department of Health and Human Services (HHS) regulates HIPAA Compliance while the Office for Civil Rights (OCRenforces it. While healthcare providers who directly work with patients are aware of the regulation, it is crucial to understand the entire landscape of the healthcare service delivery ecosystem to which the Act applies. The insights below clarify the answer to another commonly asked question ‘Who needs to be HIPAA compliant?’.

There are three types of organizations that need to be HIPAA compliant:

  1. Covered Entities
  2. Business Associates (third-party service providers who work with covered entities)
  3. Subcontractors (Business Associates of Business Associates)

Who is covered under HIPAA?

Covered Entities
Business Associates
Subcontractors
Description
A Covered Entity consists of 3 types of organizations that directly work with patients and administer healthcare. They are: A Healthcare Provider, A Health Plan & A Healthcare Clearing House.
A “business associate” is a person or entity that performs specific functions or renders services to a covered entity, which involve the use or disclosure of protected health information. A covered entity can be a business associate of another covered entity.
Business Associates hire subcontractors to process, create, or store PHI. They usually don’t have a business associate agreement or a direct relationship with covered entities. However, because they handle patient data, they need to be HIPAA compliant.
Examples
A Healthcare Provider includes Doctors, Clinics, Psychologists, Dentists, Chiropractors, Nursing Homes, Pharmacies… if they transmit any information electronically
Services rendered by business associates are: legal; actuarial; accounting; web-hosting; managed IT and security services; financial, consulting; management; accreditation; data aggregation, data transmission;  administrative; accreditation agencies, medical equipment service companies.
A hosted service provider like Amazon Web Services is a classic example of a subcontractor. With the increase in cloud-based services, there is an increased dependence on subcontractors by covered entities and business associates. 
A Health Plan includes Health Insurance Companies, HMOs, Company Health Plans, Government programs that pay for healthcare like Medicaid, Medicare, Healthcare programs for veterans / military
Some examples of business associate functions and activities include: • data analysis, processing or administration • claims processing or administration • utilization review • quality assurance • billing • benefit management • practice management • repricing
A Healthcare Clearing House includes entities that process nonstandard health information that they receive from another entity into a standard (e.g. a standard electronic format / data content) or vice versa
HIPAA Compliance
Mandatory
Mandatory
Mandatory
Business Associate Agreement
Required between a Covered Entity and a Business Associate / Subcontractor
Required between a Covered Entity and a Business Associate / Subcontractor
Required between a Business Associate and Contractor
Penalties, Fines & Jail Time
Applicable & Direct
Applicable & Direct
Applicable & Direct
 
All HIPAA rules are applicable to the healthcare service delivery ecosystem, which consists of organizations that fall into one of these three categories. Even if they are not directly engaged in delivering healthcare services, their employees and vendors need to undergo HIPAA Compliance Training every year to ensure they are aware of the organization’s security protocols and understand their accountability under HIPAA. They are required to have HIPAA-compliant policies and procedures and a Business Associate Agreement (BAA) with the entity that hires them or the entities they hire. They also need to prove that they are complying with HIPAA rules by undergoing an annual attestation.

Organizations under all three categories are required to register with the Department of Health and Human Services (HHS). The Office for Civil Rights (OCR) is authorized to enforce all HIPAA rules, including compliance with new best practices shared by them on a regular basis.

If you are wondering whether your organization is covered under HIPAA or if you have any questions about HIPAA compliance and would like to connect with a HIPAA Expert, please contact us for a free consultation. If you are looking for a convenient Do-It-Yourself HIPAA Attestation Kit, you can sign up for a free trial.

Related Links:

HIPAA

7 Benefits of HIPAA Compliance

What is HIPAA?

7 Benefits of HIPAA Compliance

Explore the benefits of HIPAA compliance for healthcare providers, healthcare SaaS companies and healthcare business associates. Connect with HIPAA Experts

HIPAA Benefits Blog Banner

databrackets infographics on Benefits of HIPAA Compliance

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) outlines the rules and regulations with regard to the use and disclosure of Protected Health Information (PHI) by all businesses in the Healthcare industry. The Department of Health and Human Services (HHS) regulates HIPAA Compliance while the Office for Civil Rights (OCR) enforces it.

HIPAA Compliance is very beneficial for patients since it ensures their personal and identifiable information is protected from known and potential channels used for cyber-attacks. However, there are several benefits for HIPAA-compliant organizations as well. Some of the numerous advantages for Healthcare Providers, Business Associates, and Subcontractors are listed below.

1. Protect Health Records

HIPAA acts as a benchmark checklist for businesses that work directly or indirectly with Protected Health Information (PHI). It helps them plan a cumulative approach to security and data privacy. The Act equips the Healthcare industry and its allied businesses with the information they need to protect PHI from known, predictable, and potential channels and sources of cyber-attacks. The emphasis on annual staff training and preparation for an unannounced HIPAA audit ensures that businesses stay alert at all times.

2. Prevent HIPAA Violations, Penalties & Fines

Adherence to HIPAA rules helps Healthcare Providers, Business Associates and Subcontractors to prevent HIPAA violations. Since a HIPAA violation leads to fines and jail time, being HIPAA compliant ensures they can protect their organization, personnel, and brand reputation.

3. Enforce a High Security Standard for Vendors

HIPAA compliance is mandatory across the Healthcare delivery ecosystem. This includes mandatory protection of PHI according to HIPAA rules by Business Associates, Subcontractors, and any vendor, even if they have access to only a few elements of PHI like diagnostic images associated with a patient ID. While this may not seem like identifiable information to us, it is a gold mine for hackers, who find ways to locate the personal information associated with the patient ID from other sources.

4. Protect your Brand Reputation & Ensure a Patient-First Approach

Being HIPAA compliant is mandatory not only for Healthcare providers but also for their Business Associates and Subcontractors. This ensures that a patient-first approach is adopted across the Healthcare delivery ecosystem. Since HIPAA is mandatory, an organization’s brand reputation is damaged if they are penalized by the HHS. In order to retain the trust of patients, B2B customers and their brand reputation, it is critical for organizations to evaluate their level of HIPAA compliance regularly.

5. Develop a Security and Compliance Process

Adherence to HIPAA requires regular maintenance of security protocols, with particular emphasis on the security rule and the physical and technical safeguards outlined under it. This is achieved by developing an IT compliance process to review if all the safeguards are in place. Developing this process is beneficial as it allows organizations to detect deviations faster and take corrective actions to prevent a cyber-attack.

6. Ensure Compliance across the Organization

HIPAA mandates specific actions from the IT department and all stakeholders since its rules, amendments,  and regular updates from the OCR ensure that compliance is a shared responsibility. The Act is mandatory for all businesses in the Healthcare Industry. As a result, businesses that are HIPAA compliant are protected from known sources / channels of data breaches. This ensures that ignorance of security protocols does not accidentally result in a vulnerability / loophole in the system.

7. Implement Security Best Practices to Prevent Cyber Attacks

The OCR has a subscription service to share security best practices with organizations and regular updates about the security measures that need to be updated. This helps organizations to stay informed and implement them.

If you have any questions about HIPAA compliance and would like to connect with a HIPAA Expert, please contact us for a free consultation. If you are looking for a convenient Do-It-Yourself HIPAA Attestation Kit, you can sign up for a free trial.

Related Links:

HIPAA

What is HIPAA?

Learn HIPAA Basics, amendments to HIPAA and get an overview of HIPAA rules. Connect with HIPAA Experts

databrackets Infographics on Rules of HIPAA Compliance

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a set of mandatory standards to manage the use and disclosure of Protected Health Information (PHI). It is mandatory for all Healthcare Providers, Business Associates (Vendors of Healthcare Providers), Healthcare SaaS companies, and any Organization directly or indirectly working with PHI.

The Department of Health and Human Services (HHS) regulates HIPAA compliance while the Office for Civil Rights (OCR) enforces it. The OCR regularly publishes recommendations on new issues affecting healthcare and investigates common HIPAA violations on a regular basis.

While the Act was passed in 1996, there have been several amendments to keep up with technological advancement:

  • The Security Rule Amendment of 2003
  • Technical Safeguards
  • Physical Safeguards
  • Administrative Safeguards
  • The Privacy Rules Amendment of 2003
  • The HITECH Act and Breach Notification Rule of 2009
  • The Final Omnibus Rule of 2013

The Final Omnibus rule of 2013 streamlined HIPAA compliance rules to include any business that stores, manages, records, or transfers Protected Health Information (PHI). These businesses are called ‘Business Associates’ under HIPAA. This broad term includes all vendors and subcontractors who directly or indirectly work with Healthcare Providers.

Currently, HIPAA consists of 5 main rules:

  • HIPAA Privacy Rules
  • HIPAA Security Rules
  • HIPAA Enforcement Rules
  • HIPAA Breach Notification Rules
  • HIPAA Omnibus Rule

There are additional rules that relate to transactions and code sets, in addition to unique identifiers. HIPAA compliance focuses on specific data privacy rules to protect sensitive patient data. Its aim is to create a culture in the healthcare industry to ensure protected health information’s privacy, integrity, and security. Annual HIPAA training of all personnel who come in contact with patient data is one of many aspects of the Act that ensures all stakeholders are involved and they understand their role in protecting PHI.

We recommend that IT professionals, CTOs, and CISOs carefully examine the details of the Administrative, Technical, and Physical Safeguards outlined under the Security Rule to ensure their IT systems are HIPAA compliant.

If you have any questions about HIPAA compliance and would like to connect with a HIPAA Expert, please contact us for a free consultation. If you are looking for a convenient Do-It-Yourself HIPAA Attestation Kit, you can sign up for a free trial.

Related Links:

HIPAA

Is HITRUST Worth The Investment?

HITRUST certification helps healthcare companies to effectively manage information risk. It is worth it if is considered an investment rather than a one-time cost.

Blog banner image databrackets is HITRUST worth it?

What is HITRUST?

HITRUST, or Health Information Trust Alliance, is a non-profit organization that uses the ‘HITRUST approach’ to help the healthcare industry control data protection standards and effectively manage data, information risk, and compliance. It’s similar to HIPAA, but instead of being written and enforced by the federal government, HITRUST is regulated by a group of healthcare professionals.

HITRUST is a way for the healthcare sector to self-regulate security practices while also fixing some of HIPAA’s shortcomings and providing a PCI (Payment Card Industry)-like enforcement system for businesses to adopt. HITRUST is a recommended framework trusted by many larger healthcare companies, health networks, and hospitals to manage risk along with other frameworks.

 

Why is HITRUST important?

In the United States, HITRUST is the healthcare industry’s security framework getting adopted primarily in hospitals It sets an industry-wide standard for handling Business Associate compliance. For a variety of reasons, HITRUST is slowly getting adopted in the healthcare industry along with other certifications:

HITRUST is updated daily to keep healthcare organizations up to date on new regulations and security threats. It is the most frequently updated security framework, with periodic updates and annual audit revisions. This ensures that those who follow the HITRUST CSF(Common Security Framework) work tirelessly to ensure their safety.

Some large payers need HITRUST. On February 8, 2016, five major healthcare payers assured their business associates that they would comply with the HITRUST CSF within two years. As a result, companies must consider “what HITRUST entails” and “what changes are needed to be made to achieve and maintain certification.”

HITRUST Certification has the strictest requirements with high-risk data that can demonstrate that an entity is a leader in compliance because they have the certification to back it up.

Is HITRUST worth it?

HITRUST Certification won’t be easy.

Many business associates will find it challenging to obtain HITRUST CSF certification because the vast majority may be unprepared and caught off guard. This is due to the fact that many organizations, especially smaller vendors, lack the resources to complete HITRUST CSF Certification. Organizations must not only meet the CSF criteria, but a third party must also audit them before being approved, and they must be recertified every other year.

Several businesses are taken aback by the HITRUST certification. Why?

  • Firstly, the cost of assessment and assessor services are high. Budgets are often tight, and data protection may be a substantial investment as the cost might be too steep for small and medium enterprises, and HITRUST might be perceived as more expensive. For enterprises, HITRUST Certification could be seen as an investment rather than an expense
  • Many customers are hesitant to invest in HITRUST because they fear failing
  • A company choosing to get HITRUST certified, must first adopt the HITRUST CSF (Common Security Framework) which is updated regularly with multiple versions. You need to stay on top of the update, use the right protocol and technologies to be able to use it effectively. This may be a daunting task for many companies
  • Assessment may include up to 400 control criteria and take upto 8 weeks depending on the scope and complexity of the company. This may be severely time consuming

The HITRUST Certification Fee

 

If you’re looking for a ballpark figure, the best guess will be $50,000 to $200,000, not including ongoing recertification costs. However, the range is so wide that it is ineffective for your business.

It depends on the assessment’s reach and the organization’s size, the state of its information system, and the steps taken to plan for a HITRUST assessment.

 

What exactly is included in this price?

Costs directly related to:

– The HITRUST MyCSF® gateway and services are made available

– Companies can take a readiness assessment and rating it

– Conducting a difference analysis, administering and rating a validated evaluation

Indirect costs incurred as a result of:

– Employee time spent on participation

– Security data recording and updating

– Initial setup

– Developing corrective action plans and remediation initiatives

– Assistance in locating and submitting necessary documents

Why is HITRUST Certification more expensive than other security certifications?

One must factor in the detail-oriented approach, thoroughness, and dependability.

A thorough examination

Depending on the company’s risk profile, a single HITRUST assessment may include up to 400 control criteria. This is in addition to the three forms of protection required by HIPAA regulations, the 12 PCI DSS compliance standards, COBIT’s five domains, 37 processes, and the 80-100 controls included in a SOC 2 audit.

The HITRUST CSF blends these and other regulatory standards into a single, overarching risk management and enforcement program, which is one of the most tangible benefits of the framework. It combines information management, financial services, technology, and healthcare standards. As a result, businesses will streamline their enforcement processes, resolve security concerns in all sectors, and reduce the time and expense associated with maintaining compliance with multiple standards.

Detail-oriented approach

Each control in your organization’s assessment must be reported, assessed, checked, and verified by an accredited external assessor before being evaluated by HITRUST. In addition, each control must be assessed using the HITRUST Maturity Model, which has five levels.

The HITRUST CSF certification process covers much more ground than any other security evaluation. In most cases, 2,000-2,500 separate data points are examined. Throughout this phase, an average of 1.5 hours per control is spent, with the number of controls assessed varying depending on the organization’s size, risk profile, and scope.

Dependability

The HITRUST CSF system was created to give enforcement programs more structure and continuity. Recent enhancements have also increased scoring accuracy over time and between internal and external assessors.

HITRUST has strict standards for the assessor firms and experts involved in its commitment to solid assurance. Firms must apply for and receive approval from HITRUST to conduct assessments and services related to the CSF Assurance Program and work hard to retain that status.

Certified CSF Practitioners (CCSFP) are HITRUST Approved External Assessors responsible for assessing and validating security controls. They must complete a training course, pass an exam, and retain certification through regular refresher courses. HITRUST helps organizations ensure the evaluation and certification process is accurate through service.

Can you have a data breach after a HITRUST Certification?

Anthem, a HITRUST-certified company, was hacked, which resulted in a breach impacting nearly 80 million individuals.

While HITRUST released a statement in its defense that “the healthcare payer did not have a breach in any system or area of the organization that was within the scope of its HITRUST CSF Certification,” some security experts did question the significance “what did it mean to be HITRUST certified?” given the scale and sheer magnitude in the numbers.

HITRUST Alternatives

The HITRUST CSF is a certifiable and widely accepted security framework with a list of prescriptive controls to demonstrate HIPAA compliance. However, as alternatives to HITRUST, several SMEs comply with other security governance frameworks like the National Institute of Standards and Technology [NIST], HIPAA, SOC Reports – SOC 1, 2, and 3 Form 1 and 2 and ISO 27001 Certification.

NIST is a set of voluntary guidelines, and processes that companies use to reduce the risk of a cybersecurity threat. It aims to improve security and resiliency by implementing 108 security controls to achieve NIST compliance.

Many HIPAA requirements may not be understood in accordance with their intended objectives. HITRUST aims to provide an integrated and holistic approach to demonstrate compliance with HIPAA security requirements.

HIPAA is a federal law with national standards to protect sensitive patient health information from being disclosed without the patient’s consent or knowledge.

Based on the certification goals and requirements of our clients, we offer alternative frameworks NIST, ISO 27001 or SOC 2 certifications. Different certifications involve different costs and levels of efforts, so it is imperative to consider your size, requirement and budget before you seek certification. IF you company falls under a broad range of industries or comes under a regulated industry, SOC 2 may be the best option. If your company processes electronic health information, HITRUST may be the better option.

Talk to us to understand your certification category and know more information

About databrackets

databrackets certified privacy and security professionals could help your organization comply with a range of Certifications and Compliances that include HIPAA/HITECH, PCI Data Security, CCPA, OSHA, GDPR, Penetration Testing,  FDA CFR Part 11, ISO 27000, Cloud Security Management, NIST Framework, Cybersecurity Framework, SOC Certification, Third-party Assessment, NYDPS Cybersecurity  Series, ISO 17020, and  ISO 27001.

databrackets assists organizations in developing and implementing practices to secure sensitive data and comply with regulatory requirements. By leveraging databracket’s SaaS assessment platform, awareness training, policies, and procedures, and consulting expertise, you can meet the growing demand for data security and evolving compliance requirements more efficiently.

American Association for Laboratory Accreditation (A2LA) has accredited databrackets for technical competence in and compliance with the Inspection Body Accreditation Program.

databrackets has been accredited by the American Association for Laboratory Accreditation (A2LA) as a Cybersecurity Inspection Body for ISO/IEC 17020:2012 vide its Certificate Number: 5998.01.

The Cybersecurity Inspection Body Program accreditation provides added trust and assurance in the quality of assessments performed by databrackets. A2LA’s third-party accreditation offers an independent review of databrackets’ compliance to both ISO/IEC 17020 (Requirements for the operation of various types of bodies performing inspections) as well as competence in technical program requirements for the desired scope of accreditation (I.e. SOC II, HIPAA/HITECH, PCI, etc.).

databrackets received accreditation by the International Accreditation Service (IAS] to provide ISO/IEC 27001 Certification for Information Security Management Systems (ISMS) and joins an exclusive group of certification bodies.

To learn more about the services, read here.