The Health Insurance Portability and Accountability Act (HIPAA) has big consequences for organizations of all sizes. Companies and institutions that don’t guard employees’ healthcare data may be subject to large fines, patient attrition, brand damage, and lawsuits. For security professionals, a big breach of PHI (personal health information) can become a fast track to a short career.
This situation has become critical because organizations are retaining more healthcare records than ever, and this data presents an appetizing target to cyber criminals. This makes the need to understand and comply with HIPAA requirements even more urgent. A new white paper, “Protecting HIPAA Compliance in an Age of Advanced, Targeted Cyber Threats,” outlines what your organization needs to know about HIPAA privacy and security with information that can help ensure your organization stays compliant. Here are some important factors to consider:
- HIPAA isn’t just health insurance records. Data such as employee social security numbers, addresses, and phone numbers are also classified under HIPAA. If your company is hacked (or a laptop with employee information is stolen), there could be serious consequences for your organization.
- There’s a huge black market on the darknet for what’s called protected health information (PHI). PHI can be sold, allowing an identity thief to either go to the hospital under a fraudulent name or, more commonly, file a fake tax return using someone else’s stolen information.
- Reporting HIPAA breaches is mandatory — if you don’t let the government know a breach happened, your organization is on the hook for even more fines.
- A strong cybersecurity defense in your organization, combined with proactively protecting employee data, can sharply reduce the risks of a HIPAA violation.
The white paper discusses ways to protect the HIPAA data inside your organization. In addition to educating employees on the importance of observing security best practices, a big part of HIPAA readiness is deploying effective next-gen endpoint security. The CrowdStrike Falcon® platform has been validated by the independent cyber risk assessor, Coalfire, for assisting healthcare organizations with HIPAA compliance. Falcon’s combination of next-generation antivirus (NGAV), endpoint detection and response (EDR) and managed hunting helps organizations protect their data and comply with HIPAA requirements.
HIPAA regulations define 11 different “protected items” in health insurance records (per the safe-harbor method of de-identification). These protected items include employee or member names, addresses, driver’s license numbers, medical record numbers, diagnoses, drug information, prescriptions, treatments and more.
HIPAA also calls for these records to have portability — if an organization switches to a new system, the data must be able to migrate.
Pairing Next-Gen Endpoint Protection with Robust Internal Policy is Key
There’s one additional challenge for taking care of HIPAA compliance, even if your company has nothing to do with healthcare. The risks associated with HIPAA non-compliance are especially important for medium- and large-sized companies. At these organizations, sensitive data may be stored in a variety of different silos accessed by a wide range of employees. If this data is breached, it can lead to brand-damaging media attention. This means organizations need to straddle a fine line between making data accessible for employees and preventing embarrassing data leaks.
This is why platforms like CrowdStrike Falcon are so important: Paired with a robust internal policy that goes after pain points such as unsecured data, employees looking at data on unsafe devices, and weak recordkeeping, organizations can use advanced security solutions to ensure that sensitive data stays inside the organization.
It’s a good idea to take progressive steps towards HIPAA compliance in your organization if it is not there already. Take into account things such as employees looking at sensitive information on their smartphones or home computers, educating employees on spear phishing, and making sure your cybersecurity protection is up to date.
Learn more about CrowdStrike Falcon’s ability to ensure your data is protected and your organization stays HIPAA compliant: Download the white paper “Protecting HIPAA Compliance in an Age of Advanced, Targeted Cyber Threats.”