The Health Insurance Portability and Accountability Act (HIPAA) is one of the most well-known and relevant regulatory frameworks affecting the healthcare industry. HIPAA compliance requirements are often stated to be too nebulous—using somewhat vague terminology to describe high-level goals. Instead, the HIPAA cybersecurity framework tends to map their requirements to various other NIST initiatives (which may change without warning).
For example, the HIPAA Security Rule Crosswalk document highlights a set of requirements for asset management in healthcare provider organizations, such as:
- Inventorying physical devices and software;
- Mapping out communication and data flows;
- Cataloguing external information systems;
- Prioritizing resources based on their classification; and
- Establishing cybersecurity roles for the entire workforce.
Each of these asset management topics then references numerous “Relevant Control Mappings” by name—but without specific explanations of their relevance or context to the issue of asset management. This may be because the individual rules being mapped out in this document are, themselves, prone to change as cybersecurity standards for the healthcare industry continue to increase.
With that in mind, how can healthcare providers ensure that they’re meeting HIPAA compliance standards both now and in the future?
Here are a few things that hospitals and other healthcare organizations can do to make their cybersecurity measures meet HIPAA compliance requirements:
Meeting HIPAA Compliance Requirements: Auditing Your Network
To continue with the HIPAA compliance framework excerpted earlier, one of the most important aspects of achieving compliance is knowing exactly what’s on the network. Unidentified assets on a healthcare provider’s internal network can easily become an avenue for attack.
This often means creating a network map that lists out all of the assets on the network and how they are related to one another—complete with a list of all installed software and operating systems. Having this inventory is crucial for identifying potential security gaps like unpatched software or assets running obsolete OSs that are rife with vulnerabilities that an attacker could exploit.
Meeting HIPAA Compliance Requirements: Apply a Policy of Least Privilege to All Resources
Even in healthcare organizations, the biggest cybersecurity risk is still the organization’s own employees. Whether they fall for phishing attacks, share their password information with the wrong person, or directly abuse their access privileges for personal gain, employees with inside access are always one of the biggest threats to any organization’s cybersecurity.
In the HIPAA Security Rule Crosswalk document, it is explicitly stated that, “Access permissions are managed, incorporating the principles of least privilege and separation of duties.” By applying a policy of least privilege to user accounts in the healthcare organization and restricting each person’s access to only the specific databases, apps, and systems that they need to perform their assigned job function, companies in the healthcare industry can minimize their risk and meet critical HIPAA compliance standards.
Meeting HIPAA Compliance Requirements: Using Strong Network Separation
The concept of “defense in depth” is a crucial one for modern cybersecurity initiatives. Modern cyber threats can originate from both internal and external sources—so simply having a good perimeter defense with a strong firewall isn’t enough. Each major database, app, or asset on the network should have its own internal protection methods separating it from the rest.
By using strong network segmentation, healthcare providers can minimize their risk of an attacker being able to move out of the first system they compromise before the cybersecurity team (or the organization’s automated intrusion prevention system) can contain and eliminate the threat. This also helps meet HIPAA compliance standards, as HIPAA’s security rule calls for “incorporating network segregation where appropriate.”
Meeting HIPAA Compliance Requirements: Encrypting Your Data
HIPAA compliance standards specifically call for healthcare providers to ensure that “data-at-rest is protected” and that “data-in-transit is protected.” One of the most easily-applied methods of data protection that can be applied is the encryption of said data.
Encrypting data-at-rest and data-in-flight is more than just a necessity for HIPAA compliance—it’s a good idea for protecting patient data at all times. One of the major goals of any attack targeting a healthcare provider is to hijack their patient data so it can be used for profit. Statistics vary by source, but according to data cited by Forbes, Electronic Health Record (EHR) data “could be worth hundreds or even thousands of dollars.”
While encryption won’t stop an attack or the actual theft of data, it does prevent that data from being useful to the attacker until they can break the encryption. Hopefully, the attacker either:
- Is unable to break the encryption; or
- Takes too long to break the encryption, and that anyone whose data has been leaked will have been able to carry out anti-fraud measures to minimize their personal risk.
Meeting HIPAA Compliance Requirements: Setting Up Regular System Updates
Modern software programs, programming interfaces, and operating systems are massively complex, to the point where no amount of beta testing is ever going to identify all of the bugs and exploits that they have. As new security vulnerabilities are identified in software and firmware alike, the companies that develop these programs continuously release security patches to fix problems.
However, without a set plan for finding and applying these security patches, it’s all too easy for a healthcare provider’s network assets to fall behind the latest security version (or, in extreme cases, be years out of date). This is part of the reason why HIPAA compliance requires “Integrity checking mechanisms [that] are used to verify software, firmware, and information integrity.”
Creating a patch management schedule as well as setting up penetration testing methods helps meet HIPAA compliance requirements—while also helping to close security vulnerabilities that an attacker might easily exploit otherwise.
These are just a few of the ways that healthcare providers can meet key HIPAA compliance requirements. For more information and advice about improving your organization’s HIPAA compliance (and its overall cybersecurity posture), reach out to the Compuquip Cybersecurity team today!
