Disclaimer: This article is neither a magnum opus on data privacy nor legal advice for your company to use in complying with data privacy laws like HIPAA. Instead, it provides background information to help you better understand how CrowdStrike has addressed some important legal points. This legal information is not the same as legal advice, where an attorney applies the law to your specific circumstances, so we insist that you consult an attorney if you’d like advice on your interpretation of this information or its accuracy. In a nutshell, you may not rely on this paper as legal advice, nor as a recommendation of any particular legal understanding.
The HIPAA security rule
Created under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the Security Standards for the Protection of Electronic Protected Health Information, otherwise known as the Security Rule, is all about safeguarding individuals’ protected health information (PHI) in electronic formats.
PHI comprises health information that can be used to identify an individual. PHI may also include demographic information, medical histories, physical and electronic health records, and insurance details.
What is the HIPAA security rule?
The HIPAA Security Rule specifies security standards for protecting individuals’ electronic personal health information (ePHI) that is received, used, maintained, or transmitted by covered entities and their business associates.
In addition to adhering to the HIPAA Security Rule, covered entities and business associates must also comply with the Standards for Privacy of Individually Identifiable Health Information, otherwise known as the HIPAA Privacy Rule. Failure to comply with both of these pieces of legislation can lead to various civil or criminal penalties.
To satisfy the HIPAA Security Rule requirements, administrative, technical, and physical safeguards must be put in place to help healthcare providers with data loss prevention and preserve the confidentiality of electronic protected health information (ePHI). Let’s look more closely at each type of safeguard.
Administrative safeguards address many aspects that govern ePHI protection, such as internal actions, policies, and procedures. They also specify how employees should treat an individual’s health information. There are nine standards to adhere to, as follows.
The security management process
The security management process aims to prevent and correct security violations through policy implementation. It covers the following specifications:
- Risk analysis
- Risk management
- Sanction policy
- Information system activity review
Assigned security responsibility
Assigned security responsibility refers to the responsibilities of the cybersecurity personnel who implements the HIPAA Security Rule and develops all policies and procedures required by it. The designated official may fill both the security officer and privacy officer roles.
This policy ensures all covered employees have access to ePHI. It also covers clearance and termination procedures for managing an individual’s private information. The policy ensures that users and computer systems have permission to view ePHI.
Information access management
Like workforce security, information access management authorizes employees’ access to ePHI. It follows the principle of least privilege, where only verified officers have access to data at a specific time.
Security awareness training
Administrative safeguards or other cybersecurity policies are ineffective without operational knowledge. Training on security awareness keeps healthcare staff updated on the relevant cybersecurity procedures. It also helps define employee responsibility in enforcing the HIPAA Security Rule. The training generally covers:
- Security reminders
- How to keep safe from malicious software
- Log-in monitoring
- Password management
Security incident procedures
Incidents are defined as “attempted or successful authorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system.” This standard defines the procedures for identifying and containing security incidents.
The contingency plan
The contingency plan is an administrative safeguard that aids to ensure that ePHI data is available even when emergencies (i.e. fire, vandalism, natural disasters, system failures) happen. Contingency plan standards include:
- A data backup plan
- A disaster recovery plan
- An emergency mode operation plan
- Testing and revision procedures
- Applications and data criticality analysis
The process for monitoring and evaluating systems under the Security Rule is called evaluation — an ongoing process that monitors the environment affecting ePHI security.
Business associate contracts and other arrangements
Business associates of organizations complying with the HIPAA Security and Privacy Rules may need to provide written assurances of ePHI protection.
Physical safeguards manage the information security aspect of the HIPAA Security Rule. These safeguards protect the physical structure and devices where you store ePHI. It’s not a one-size-fits-all approach, as the specific physical measures depend on the size of the organization and the nature of the healthcare practice. In general, physical safeguards cover a few areas.
Facility access controls
Facilities are required to manage access to where patient information is physically located. This requirement identifies the individuals, methods (door locks, security officers, video monitoring, etc.), and contingency operations for controlling access to physical facilities. The policy addresses:
- The facility security plan
- Access control and validation procedures
- Maintenance records
Workstation use and device security
Workstation security considers the use and security of computers and workplace tools for storing ePHI. HIPAA security requirements consider the environment, workflow, and type of workforce (onsite or offsite) that can access ePHI.
Similarly, device standards explain how to handle electronic media and hardware systems that contain ePHI within and outside the workplace. As a core requirement, device security manages electronic media disposal and reuse. Media disposal specifies the methods for erasing data, while media reuse defines the procedures for reusing electronic media storing ePHI.
Other device security requirements are:
- Accountability (the records for hardware and electronic media).
- Backup and storage (creating accessible copies of ePHI).
This is the technical aspect of the HIPAA Security Rule safeguards. Technical safeguards protect the technology storing patient data. They don’t specify which technology solutions entities must use, but they do outline the specific aspects technology tools must protect.
To implement technical safeguards, you need to address the following standards.
Access and audit controls
Access controls allow access only to those persons/software programs that have been granted access rights The standard helps organizations identify and track the activities of users. Access controls also include emergency procedures for retrieving ePHI. Automatic logoff (a policy for terminating electronic sessions) alongside encryption and decryption processes are other requirements that constitute access controls.
Audit controls provide comprehensive reports about software and hardware activity related to ePHI, helping organizations know when specific users access particular files.
Authentication and integrity controls
Technical safeguards also address authentication and integrity. Authentication ensures a user’s identity or credentials are correct, while integrity protects ePHI from unsanctioned alteration, destruction, or corruption.
If your organization works with patient data, then it must implement technology platforms that automatically check for data integrity, such as checksum verification or digital signatures. The standard also requires multi-factor authentication (MFA) as a way to double-check a user’s identity before granting them entry to internal systems.
Transmission security protects ePHI in motion. It covers email, browser, and endpoint network protection. The major HIPAA security requirements here are integrity controls and encryption. The former prevents data modification while the data is in use, while the latter ensures data protection during transmission using a secret code.
CrowdStrike and HIPAA
While implementing the HIPAA Security Rule provides many benefits, maintaining compliance can be challenging for healthcare organizations and other covered entities. Hindrances include internal and external threats, as highlighted by a 2016 survey from HealthITSecurity.
Insiders or employees are normally implicitly trusted to access systems and applications so that they can be more productive, especially when working remotely. But unfettered access also opens the door for cybersecurity gaps that can be exploited. Moreover, threats might not even carry malicious intent; they can simply be errors. For instance, a recent Data Breach Investigations Report by Verizon stated that healthcare industry employees are two and a half times more likely to mistakenly access data they shouldn’t be able to, rather than to maliciously abuse their access.
Implementing solutions like CrowdStrike Falcon® can help healthcare organizations prevent, detect and respond to cybersecurity incidents, protecting their ePHI against advanced persistent threats (APTs), ransomware, and other threats. Falcon combines next-generation antivirus (NGAV) and endpoint detection and response (EDR) to protect data. In addition, Falcon® Device Control can enforce safe device usage and accountability. Device control gives you contextual visibility of USB devices, helping you prevent unwanted disclosure or manipulation of ePHI. Taken further, you can even block the device itself, preventing unauthorized access to data or the introduction of malicious software. Falcon Fusion, a part of the CrowdStrike Falcon® platform, automates complex incident response workflows, reducing the mean time to remediate incidents. Enterprises also look into adopting HIPAA-compliant firewalls and encryption policies for effective network monitoring.
Irrespective of internal cybersecurity policies, security incidents are inevitable. Hence, the need for incident response plans to mitigate security incidents and breaches involving ePHI quickly. CrowdStrike Falcon® provides an incident response (IR) plan to identify, contain, and respond to incidents and breaches involving ePHI in line with HIPAA tenets. It also offers connectors for integrating security information and event management (SIEM) tools with CrowdStrike Falcon®, enabling you to track data and detect real-time security anomalies.
Overall, your approach to HIPAA Security Rule compliance must be holistic, ensuring you uphold all requirements and safeguards without forgoing your company’s objectives and business goals.