HIPAA and Data Protection in Healthcare | By: David Stonehill, CTO, NetLib Security

Share

Healthcare organizations face many challenges: they must protect patient privacy, deliver quality care, and meet strict regulations. These organizations, which include medical device manufacturers, are trusted to safeguard incredibly sensitive information, a task that carries immense responsibility.

The healthcare sector remains particularly vulnerable to cyberattacks, given its handling of a substantial volume of Personally Identifiable Information (PII), Protected Health Information (PHI), and Electronic Health Records (EHR). Lacking the necessary expertise to protect this critical data creates a wide-open avenue for significant numbers of potential cyberattacks.

In fact, medical device security has become the weakest link, with half of all connected medical devices in healthcare organizations unmanaged. Due to the Internet of Medical Things (IoMT) devices have a remarkably low barrier to entry. It’s no surprise that attackers are able to exploit inherent vulnerabilities in these unmanaged endpoints. Similarly, while electronic media devices (EMDs) help better manage our healthcare are priceless, they also create a wide attack surface for cyberthieves.

Critical Insight reports that from January to June 2023, there were 308 healthcare data breaches reported to the federal government. While this is a 15% decrease compared to 2022 in the number of breaches, the total number of individuals affected by these breaches has actually increased.

The first half of 2023 saw an average of 131,000 individuals impacted per breach, fueled in large part by the incident at Managed Care of North America which affected 8.9 million individuals and at PharMerica which affected 5.9 million individuals, the third and fourth largest breaches ever recorded, respectively.

The healthcare industry consistently has the second-highest number of data breaches each year, exceeded only by the business sector. However, healthcare has accounted for the highest number of records exposed. This raises a fundamental question: despite the healthcare industry’s reputation for implementing intricate regulations, such as HIPAA compliance, why do so many data breach incidents continue to occur?

Types of Data Breaches in Healthcare

Breaches are most commonly due to:

  • Unsecured Networks – Networks lacking proper security measures can be easily breached, resulting in one of the leading causes of data loss in the healthcare industry.
  • Insufficient Training – Insufficient security training and little familiarity with best practices can lead to errors and vulnerabilities. Employees’ lack of awareness of the impact of weak passwords and of proper security protocols can put the organization at risk of being attacked.
  • Unencrypted Data – Healthcare organizations handle and store sensitive patient information on a regular basis. If this data were saved as unencrypted plain text, hackers could easily access private records through a network breach. That is why it is critically important to encrypt all patient data, so that even if a hacker were to access sensitive data files, the data contained within would be useless.
  • Malicious Software – Hackers can use malicious software, such as ransomware and viruses to infiltrate the networks of healthcare organizations and gain access to the healthcare organizations’ networks.

What happened in 2023 cybersecurity breaches?

In the case of Managed Care of North America (MCNA), a dental insurer, investigators determined that an unauthorized third party was able to access certain systems within its IT network between February and March of 2023. The attack gave them access to full names, Social Security numbers, insurance information, licenses, and dental/orthodontic care details.

The PharMerica Corporation was also attacked by hackers in March. Cyberthieves entered the network and may have stolen personal information like names, Social Security Numbers, medication details, and insurance information. PharMerica says it has implemented additional technical cybersecurity safeguards to prevent similar incidents in the future. Nevertheless, this was the largest healthcare data breach to be reported by a single HIPAA-covered entity in 2023.

How do we protect against attacks like this? Are there guidelines? Procedures? The answer is yes – outside of user awareness and training, there are strict guidelines from HIPAA Compliance.

So what does HIPAA encompass and how do you know if you’re compliant?

What is HIPAA?

If you work in healthcare, you’ve probably heard the term HIPAA (or Health Insurance Portability and Accountability Act). In 1996, a law was passed that required a combined effort between the U.S. government and healthcare companies that work with sensitive patient health information. It required organizations to implement and follow a required set of encryption security standards against breaches for electronic protected health information (ePHI). HIPAA mandates encrypting all data at rest, and ePHI necessitates AES-128 or stronger encryption for safeguarding sensitive information.

HIPAA compliance in 2023

New HIPAA regulations are enacted fairly frequently; however, in recent years the changes have had minimal impact on HIPAA Compliance. The last major update was back in 2013 when the HIPAA Omnibus Final Rule was introduced by the Department of Health and Human Services (HHS), which changed the breach standard from a “significant risk of harm” to a “probability that data was compromised.”

These rules had not been substantially updated to keep up with the big changes in technology as well as cyber-criminal activity since that time. In April 2023, HHS issued proposed changes to the rule to help further protect PHI data and privacy. The changes to Final Rule are expected to go into effect by the end of 2023.

What is changing?

  • Right to access – this new rule expands the right for patients to inspect and take notes of their PHI, including taking photos. The response time for PHI requests has been reduced from 30 to 15 days.
  • Information sharing and care coordination – this new rule enables patients to make a request to providers to share their EHR with other providers/insurers when necessary.
  • Notice of privacy practice – this piece of the update aims to ease the administrative pressure by modifying the requirement that mandates providers obtain a patient’s written acknowledgement of their notice of privacy practice.

For more information on the proposed modifications to the HIPAA Privacy Rule check out this Fact Sheet from the HSS. From a technology standpoint, you will need to know exactly where your patient data is. How do you prepare for this? Assess your compliance and diligently fill in any gaps you find.

Encryptionizer’s Role in HIPAA Compliance

Those in the healthcare industry must take HIPAA compliance seriously. Not complying may result in significant fines. In the worst case scenario, a facility may have to shut down and cease admitting patients. Maintaining compliance with healthcare regulations is one of the best ways to prevent a data breach.

Safeguard your reputation, reduce regulatory risks, and secure sensitive patient and employee information with our Encryptionizer solution. Our high performance data security software can help you protect your patient data:

  • With virtually no impact on performance
  • With no additional programming
  • In various healthcare environments (physical, virtual, and cloud)
  • Without breaking the budget
  • Installing quickly with just a few clicks.

About NetLib Security

NetLib Security has spent the past 20+ years developing a powerful, patented solution that starts by setting up a formidable offense for every environment where your data resides: physical, virtual and cloud. Our platform simplifies the process while ensuring high levels of security.

Simplify your data security needs. Encryptionizer is easy to deploy. It is a cost-effective way to proactively and transparently protect your sensitive data that allows you to quickly and confidently meet your security requirements. With budget considerations in mind, we have designed an affordable data security platform that protects, manages, and defends your data, while responding to the ever changing compliance requirements.

Data breaches are expensive. Security does not have to be.

NetLib Security works with government agencies, healthcare organizations, small to large enterprises, financial services, credit card processors, distributors, and resellers to provide a flexible data security solution that meets their evolving needs. To learn more or request a free evaluation visit us at www.netlibsecurity.com.

Editor’s Note: David Stonehill is the CTO of NetLib Security, a security software development company that offers a number of data protection products including Encryptionizer®, which transparently encrypts data-at-rest in SQL Server, PostgreSQL, and nearly any Windows-based application. A graduate of Cornell University, David has led development groups at MCI, The Associated Press, and The BoxOffice Company.

Read more