In my previous post, we looked at the HIPAA Privacy Rule which mandates data protection of health information as a civil right. Boiling the rule down to its simplest form, HIPAA Privacy lays out what data requires protection and who is held accountable for keeping it confidential. However, it’s the HIPAA Security Rule that tells us how that data must be protected.
The Security Rule calls for specific safeguards across three primary categories:
Administrative safeguards are the procedures, training, and processes that foster data privacy and align with HIPAA standards. Physical safeguards are used within material structures—server cages, workstations, etc.—that enable data security on the tangible attack surface. Technical safeguards are the techniques used, whether deployed with humans or technology, controlling access to and the use of PHI.
As with all things in security, these safeguards are far from a one-and-done exercise. Data and devices are constantly on the move: continuous visibility is key.
When you hear about a government agency ‘providing guidelines’, we think one thing: compliance. Or more accurately, two things: compliance and the staggering costs to comply. This is valid thinking of course – the high price tags associated with HIPAA violations are intentionally painful to offending organizations.
Avoiding fines for failed compliance, along with the short- and long-term expense of a data breach, remains a top priority because dollars paid to cover penalties is no longer going to patient care. For organizations handling PHI, new, forward-thinking technologies demonstrably show the impact on outcomes and help to create an integrated health ecosystem that enthrones the patient as everyone’s primary objective. According to the Department of Health and Human Services the whole purpose for the Security Rule is to “protect the privacy of individuals’ health information while allowing covered entities to adopt new technologies to improve the quality and efficiency of patient care”. To be sure, strutting along the tightrope of superb care and maniacal data protection is no easy task.
Complying with the HIPAA requires significant planning, resources, teamwork, and continuous vigilance. Thankfully, enforcement agencies recognize this burden. Recently, penalty waivers were granted to providers along the East Coast serving the recovery effort after Hurricane Florence. However, the waiver was only connected to the HIPAA Privacy Rule to encourage sharing critical information to save lives…the Security Rule remained in full force. The Security Rule’s safeguards, HHS reasoned, should already be in place before any emergency; withholding waivers for those violating the foundational security safeguards for PHI.
Hungry for more? My latest video on Cybersecurity Insights provides quick hits on the HIPAA Security Rule. If you’re a greenhorn to HIPAA or if you’re the kind of person who can audit in your sleep, the video gives you a fresh perspective on how we approach the HIPAA Security Rule.
Subscribe to the YouTube channel and stay up-to-date with the latest guidance for your healthcare organization’s cybersecurity disciplines.
Welcome back! Josh here from absolute.
If you recall last time we saw how the HIPAA Privacy Rule tells us WHICH data need protection.
In this episode, we'll explore the HIPAA Security Rule to see HOW to protect that data.
The security rule spells out safeguards that are like having a map, a compass and coordinates that guides you toward Data Protection Utopia.
There are three safeguard buckets:
- Physical and
Administrative safeguards create an atmosphere where data protection is just woven into the day-to-day operation.
Physical safeguards are the observable and tangible garrison's for PHI. Things like locked rooms, server cages, secure workstations, disposal facilities...
Then, there are Technical safeguards, where technology itself gets pressed into service to shield our most valuable data.
Access Controls enable users to get to the minimum necessary to prevent unauthorized access to PHI.
Audit Controls are the hardware, software and procedures that examine systems to validate those defenses. That's right! There is a federal law demanding that every device, app, server, network connection and so forth, all go under the microscope.
Integrity controls helps to make sure that health data is never altered or destroyed in any unauthorized way. This is probably the biggest challenge when scaling Mt. HIPAA-Compliance.
Recently a federal judge upheld a penalty for more than four million dollars on a world-renowned health care provider, when they were unable to prove that a missing laptop was secure.
Administrative, Physical and Technical safeguards are not suggestions, but legal requirements for anyone working with health data.
Protecting PHI is hard. Protecting PHI on far-flung devices is even harder! But when you have a line-of-sight and continuously monitor all the pockets where PHI can hide, you can leap over those hurdles and satisfy the Security Rule.