U.S. HHS Cracks Down on HIPAA Non-Compliance
The healthcare industry is one of the most heavily regulated business types today. To secure electronic protected health information (ePHI), organizations look to the Health Insurance Portability and Accountability Act (HIPAA) Security Rule and the Health Information Technology for Economic and Clinical Health (HITECH) Act. But they must also protect personal information, financial, and payment data in compliance with a variety of regulations including the Payment Card Industry (PCI) Data Security Standards (DSS).
Major 2014 fines
This past year, the U.S. Department of Health and Human Services, Office for Civil Rights (HHS-OCR) started fining and settling with healthcare organizations for HIPAA non-compliance. While the organizations had adopted HIPAA policies and procedures, they often failed to follow up with regular reviews of ePHI for risks, vulnerabilities, and unpatched software. For example, a community mental health service in Alaska was recently fined $150,000 for failure to patch software. And earlier in 2014, two New York hospitals settled fines totaling $4.8 million for protected data being made accessible through public search engines when servers were deactivated without appropriate technical safeguards.
The expansion of electronic medical records (EMR) and the use of portable devices, virtual systems, and cloud services are often outpacing the implementation of security technologies. Along with those trends comes the increased risk of unauthorized exposure of sensitive protected data. It’s true that the HIPAA Security Rule is largely non-prescriptive when it comes to specific security procedures, leaving organizations on their own to determine and implement best practices. But the HHS-OCR penalty fines should be a wake-up call to healthcare organizations to implement comprehensive and stringent security procedures and to make security a daily practice.
One of the challenges in migrating to electronic records is overcoming attitudes developed over decades of reliance on paper records. While there was rarely much security around paper records, stealing them would have required physically entering healthcare facilities and gathering records individually. The connectivity that allows near-instant access to EMR for improved patient care can also expose those same records to near-instant mass theft from anywhere in the world.
In 2013, 43.8 percent of all major data breaches were healthcare data targets – the first time that healthcare was listed on the Identity Theft Resource Center’s list. And in 2014, that statistic held nearly steady at 42.5 percent. Organizations must have and enforce a comprehensive security policy, including a commitment to continuous monitoring for vulnerabilities and rapid remediation. It is no longer sufficient to just scan/audit/patch Windows targets for HIPAA compliance; there must be a more comprehensive approach across all computers, network devices, firewalls, databases, and mainframes.
In February 2014, Experian published the 6th Annual HIMSS (Healthcare Information and Management Systems Society) Security Survey of information technology and security professionals from U.S. healthcare organizations. The threat to ePHI is high; 56 percent of respondents were concerned about viruses, malware, and disruptive software; 51 percent said that device functionality was a concern; 56 percent were worried about hacking attacks, and 66 percent noted that software vulnerabilities or errors were a threat. Clearly the risk is increasing and security budgets are not necessarily keeping pace.
Ninety-nine percent of professionals surveyed in the Experian report said that they have at least one security tool tested and in place. Total security cannot be achieved by using just one technology such as a firewall or user access controls; stronger protection is required, and technologies must be combined to provide the maximum protection: technologies such as encryption of sensitive data, intrusion detection and prevention systems, continuous network monitoring, endpoint defenses, and two-factor authentication.
For more information on how Tenable can help with HIPPA monitoring and HITECH compliance, see the paper, Tenable Product Evaluations Application: HIPAA.
TechSource in your Inbox
Sign-up here to receive our latest posts by email.