Reading Time: 5 minutes


Building the Right IT Strategy to Comply with HIPAA’s Technical Safeguards

Doctor holding cellphone

This year is the Health Insurance Portability and Accountability Act’s (HIPAA) 25th anniversary. It’s probably not an anniversary you’re excited about celebrating, especially because this law has grown stricter and more punitive since its passing. Many healthcare organizations still scramble to keep up with evolving security, privacy, and regulatory requirements—all to avoid breaches of patient data, large fines, and regulatory investigations.

However, an IBM Security study notes that the average cost of a data breach for healthcare organizations is $7.13 million—the highest for any industry. The same study also noted that “healthcare had the highest average time to identify and contain a breach, at 329 days.” This means, despite HIPAA’s quarter century of existence, healthcare organizations are still struggling to prevent and detect data breaches.

In this article, we want to focus on HIPAA’s technical safeguards (§ 164.312) and the Health Information Technology for Economic and Clinical Health Act’s (HITECH) data breach notification requirements (Sec. 13402) that were added to HIPAA in 2009. Your organization’s compliance officer will know these laws inside and out. However, the “how” can often make even the most compliant-willing organizations stumble. We will go over a few areas of each law and how your IT can help you meet these standards.

1. Access Control Policies

HIPAA says that organizations must “implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights…” To prevent authorized access, you need to focus on:

  • A password policy: During a recent Covenant HealthCare data breach that exposed 45,000 records, MLive reported “the FBI discovered that a person was attempting to sell login and password access to Covenant’s network on the dark web, which included two email accounts that were breached using a password ‘spray attack.’” This means that hackers were trying (successfully) to breach accounts using common passwords. Weak passwords are still a major source of breaches for healthcare organizations. Strong, complex passwords or passphrases, regularly changed passwords, and Two Factor Authentication (2FA) are needed to shore up this common access control gap.
  • Unique user accounts: HIPAA uses the term “unique user identification.” That means you are required to have one set of unique user credentials for a person to access information. In many cases, organizations share passwords or set up generic user accounts. HIPAA does not permit such accounts because of potential security and privacy abuses. You need IT professionals overseeing the creation of new user accounts, changes to existing user accounts, and deactivating user accounts.
  • Automatic logoffs: HIPAA says organizations must “implement electronic procedures that terminate an electronic session after a predetermined time of inactivity.” This eliminates a security vulnerability where a person might sit at an employee’s desk and access unauthorized information. Computers should lock automatically after a short period of time to avoid such access.
  • Logging and auditing user activity: With the above protocols in place, it then becomes easier to log and audit user activity to look for suspicious behavior. Is someone logging into your system at a strange hour? Is an unknown user accessing data? Is someone downloading an unusual amount of data? By monitoring and auditing such data, you can detect suspicious user activity sooner and not become one of the healthcare organizations that takes over 300 days to detect a data breach.

2. Encryption

HIPAA says organizations must “implement a mechanism to encrypt and decrypt electronic protected health information.” This includes encryption for data “at rest” (such as sitting on your servers) and “in transit” (such as communicating back and forth with another device like a patient’s computer or smartphone). Healthcare can be challenging because there are so many communications channels (email, instant messaging, videoconferencing) and content types (documents, images, videos). Ensure that the applications you use encrypt any health information that you send electronically. If not, then you need to modernize and upgrade your applications.

3. Cybersecurity

The HITECH Act provides guidance that organizations must use “technologies and methodologies that render protected health information unusable, unreadable, or indecipherable to unauthorized individuals.” If this requirement is not met, the information is considered unsecured.

Under these definitions, the security and privacy of electronic health information is at risk if you are unable to prevent and detect cyberattacks. The more likely you can fend off a cyberattack, the less likely you will have a data breach. While cybersecurity encompasses many different components, a few of the most important tips include:

  • Eliminating unnecessary entry points to your network: These entry points could include a firewall port left open, external devices (like a flash drive) plugged into a computer, open data port in an office, or a third-party vendor with access to a server with sensitive information.
  • Monitoring your network: IT professionals should be monitoring your network for suspicious activity and vulnerabilities that crop up that may give hackers access to your systems.
  • Update and patch your applications: Lack of software patching is still the source of too many data breaches. You need to apply software patches and updates when they are provided by the vendor, as these patches often fix security vulnerabilities that hackers use to exploit applications. Also, maintain current supported versions of software to ensure patches are still being published.

4. Data backup and disaster recovery

HIPAA says organizations must “implement policies and procedures to protect electronic protected health information from improper alteration or destruction.” One essential component to meet this requirement is a data backup and disaster recovery solution that includes an onsite component (for quick recovery after a small incident, like a server failure), offsite component (for a natural disaster or ransomware), and periodic testing to demonstrate your data backup will work after an incident. Such solutions will also allow you to revert to a previous version of your data if it is altered or corrupted.

5. Physical security

In a separate section, § 164.310, HIPAA says organizations must “implement policies and procedures to limit physical access to its electronic information systems and the facility or facilities in which they are housed, while ensuring that properly authorized access is allowed.” This often overlooked aspect of security should include:

  • Limited access to rooms with devices that store health information.
  • A controlled process to permit entry and exit by authorized personnel.
  • Quick remediation in response to physical security risks (such as deactivating a lost key fob).

6. Training

You can never train your employees enough about cybersecurity best practices. Teach them about phishing attacks, ransomware, password best practices, and social engineering. All these areas—no matter your technology and tools—are human-centered vulnerabilities, leaving you open to attack. When people click on malicious links and attachments, use simple passwords, and get tricked on the phone to give away a username and password, hackers use those openings to get credentials that lead them to breach your systems.

While HIPAA and HITECH have existed for a long time, and the technical requirements are part of these laws, it’s clear that healthcare organizations still need a lot of help with building the right IT foundation to comply. Use this article to get a sense of where your IT foundation might need some work, and then create a plan to tackle any issues that are preventing you from complying or exposing you to great risk.


Need a Healthcare IT Partner?

The healthcare industry is evolving fast. Practices are growing and consolidating, data security has never been more difficult or important, and IT is playing an ever-increasing role in your patient experience.

You need a single technology partner to simplify and strengthen your IT management. We offer comprehensive healthcare IT support to maintain compliance, create consistency across multiple locations, and positively impact your ability to serve patients.

Whether you’re a new practice or a mature organization aggressively pursuing growth, we can help you craft an IT plan that supports you now and into the future.

Complete the form below and we will schedule a short call to learn more about your organization’s IT compliance needs.

More from VC3