Data Privacy & Security in Healthcare. Who needs to comply with HIPAA?

 

The Health Insurance Portability and Accountability Act (HIPAA) is one of the key documents for every CISO working in healthcare. Written over 20 years ago, long before smartphones, WiFI or Google were invented, it still regulates healthcare information security in the industry. Learn how it is applied nowadays to ensure secure medical care.

Why is data security important in healthcare?

Name. Address. IDs. Prescriptions. Photos. 

It’s just a fraction of the data healthcare organizations had, have and will have about their clients. Unauthorized access to such information can result in severe consequences for the disclosed individual. They may face identity theft, fraud, theft of money, as well as moral damage. The research found that health records from hospital data breaches can cost hundreds of dollars each on a black market.

For a healthcare organization, the stakes are high when it comes to patient data security issues. Security breaches in healthcare result in expenses on independent forensic experts, internal investigation, communication with both employees and clients, settlements, fines, and ultimately reputational damage and loss of customer trust hit the long-term profit of the organization. 

That is why a CISO role is of most importance in the healthcare business. It is their job to develop a system that would adequately mitigate risks and protect against anticipated threats.  

What is data security for PHI?

HIPAA ensures health data security (PHI) regulating how it is used, maintained, stored, or transmitted by a HIPAA-covered entity (a healthcare provider, a health plan or health insurer, a healthcare clearinghouse) or a business associate of such entity. 

PHI stands for Protected Health Information, and under HIPAA it covers any information related to the health status of an individual. It includes medical records, health histories, lab test results, and medical bills. PHI is protected regardless of the form it takes, including physical records, electronic records, or spoken information. Once health information includes individual identifiers it becomes PHI and is protected under the HIPAA. 
There are 18 PHI identifiers:
  • Name
  • Address (including subdivisions smaller than a state, like a street address, city, county, or zip code)
  • Any dates (except years) that are directly related to an individual. It includes birthday, date of admission or discharge, date of death, or the exact age.
  • Telephone number
  • Fax number
  • Email address
  • Social Security number
  • Medical record number
  • Health plan beneficiary number
  • Account number
  • Certificate/license number
  • Vehicle identifiers, serial numbers, or license plate numbers
  • Device identifiers or serial numbers
  • Web URLs
  • IP address
  • Biometric identifiers such as fingerprints or voiceprints
  • Full-face photos
  • Any other unique identifying numbers, characteristics, or codes.

HIPAA-covered entities and their business associates must comply with the confidentiality, integrity, and availability requirements to electronic PHI (ePHI). Confidentiality is maintaining that ePHI is not illegally disclosed without proper patient authorization. Integrity is ensuring that ePHI that is transferred or maintained by a healthcare organization can be accessed only by appropriate and authorized parties. Availability is allowing patients to access their ePHI under the HIPAA security standards.

A line between PHI and not PHI

It is often believed that all health information is considered PHI under HIPAA, but there are some exceptions. 

HIPAA only applies to the covered entities and their business associates. It means that if health information is not shared with such entities, it is not considered PHI.

Let's take health trackers (either wearable or mobile app) that record health information such as heart rate or blood pressure as an example. Unless the device manufacturer or app developer shares this data with a HIPAA-covered entity, it is not considered PHI under HIPAA.

HIPAA does not apply to education or employment records. A hospital may hold data on its employees, which can include some health information like allergies or blood type but it is not classified as PHI.

If PHI is stripped of all the identifiers that can tie it to an individual, it becomes de-identified PHI, and the HIPAA rules no longer apply. 

What is a data breach in healthcare?

Data breach in healthcare means that one or more records are at risk of being exposed or have been known to be accessed or disclosed without authorization. Potential access to the data also counts as a data security breach.

Big data security breaches happen yearly, targeting even the biggest healthcare companies. A single attack on American Medical Collection Agency affected 25 million patients. 

Research shows that ransomware and SQL injection attacks are the most common cause of a healthcare data breach. They often occur when stressed and/or unaware employees fail to identify malicious emails, websites or software.

Another common challenge is compliance with the user authentication policy. Healthcare professionals use multiple shared workstations, which can often lead to unintentional disclosure of information. Healthcare data security is not, and should not be, their number one priority. It is CISO’s job to provide an access management solution that would be both secure and easy for the end-users.

Solution For Secure Healthcare

Hideez developed a top-notch authentication solution specifically for the healthcare industry. It ensures patient data security in a potentially risky environment of shared computers accessed by multiple concurrent users. 

A password manager feature built into a Hideez key protects the users from phishing attacks by providing passwords only for trusted domains. The key also offers an extra layer of personification and advanced wireless proximity controls that make data protection in healthcare more achievable. Unattended computers is one of the hardest challenges CISOs have to address under HIPAA in the healthcare industry. It boils down to a human factor, and a simple timeout is not enough. 

With proximity controls, you have an elegant way to lock the computer once it is no longer in use. A healthcare professional just needs to make three-four steps away from the computer for it to lock automatically. Take the data-security cognitive load away from medical professionals. Simply use the Hideez key to free your colleagues from passwords and save their time.