Revised and updated for 2022.
The Health Insurance Portability and Accountability Act (HIPAA) and its supporting rules provide a comprehensive framework for safeguarding Protected Health Information. The HIPAA Security Rule becomes even more important as the healthcare sector has become more digitized over the past two years and the attack surface has expanded.
What is Protected Health Information?
HIPAA defines PHI as “any identifiable health information that is used, maintained, stored, or transmitted by a HIPAA-covered entity or a business associate of a HIPAA-covered entity, in relation to the provision of healthcare or payment for healthcare services.”
PHI includes health records, health histories, lab test results, and medical bills. Essentially, all health information is considered PHI when it includes individual identifiers. Health information ceases to be PHI if it is stripped of all identifiers that can tie the information to an individual. If the above identifiers are removed, the health information is referred to as de-identified PHI. HIPAA rules no longer apply to de-identified PHI.
The Need for Safeguarding PHI in the post-COVID-19 era
As the healthcare industry has moved from physical records to electronic ones, the risk of data being accessed or viewed by unauthorized entities has increased significantly. In fact, malicious actors are targeting health data due to the increased black-market value of stolen medical records and PHI.
The COVID19 pandemic has created a new reality for the healthcare sector globally testing its limits. Adding to the overwhelming situation it is currently facing, the sector has become a direct target of cybersecurity attacks.
In November 2021, The FBI, along with the Cybersecurity and Infrastructure Security Agency (CISA), the Australian Cyber Security Centre (ACSC), and the United Kingdom’s National Cyber Security Centre (NCSC) issued an advisory warning the healthcare and transportation sectors about an Iranian government-sponsored advanced persistent threat (APT) group that has been exploiting Microsoft Exchange ProxyShell and Fortinet vulnerabilities.
In January 2022, following a warning from Microsoft regarding the Log4J vulnerability, the HHS 405(d) Task Group issued a brief outlining the risks associated with the Log4j vulnerabilities and urged the healthcare sector to prioritize patching and mitigating risk. Many cloud applications that healthcare organizations use for EHR services, along with other outsourced security services, frequently use the Log4J software.
The HIPAA Security Rule
The Security Rule sets national standards for protecting the confidentiality, integrity, and availability of electronic protected health information (ePHI). The Security Rule institutes three security safeguards – administrative, physical and technical – that must be followed to achieve full compliance with HIPAA. The objectives of the safeguards are the following:
- Administrative: to create policies and procedures designed to clearly show how the entity will comply with the act.
- Physical: to control physical access to areas of data storage and protect against inappropriate access.
- Technical: to protect PHI when transmitted electronically over communications networks.
Technical Safeguards for ePHI
The Security Rule requires covered entities and business associates to maintain reasonable and appropriate administrative, technical, and physical safeguards for protecting ePHI. Specifically, covered entities and business associates must:
- Ensure the confidentiality, integrity, and availability of all ePHI they create, receive, maintain, or transmit;
- Identify and protect against reasonably anticipated threats to the security or integrity of the information;
- Protect against reasonably anticipated, impermissible uses or disclosures of the information; and
- Ensure compliance by their workforce.
The Security Rule outlines technical safeguards as security measures that encompass access control, audit controls, integrity controls, and transmission security of ePHI. These technical safeguards, which are described in greater detail below, apply to all forms of ePHI and address not only the technology but also related policies and procedures that protect ePHI and define controls.
The Security Rule requires a covered entity or business associate to comply with the technical safeguard standards, but it does not specify the exact procedures entities must use to protect ePHI. There is some flexibility as to which security measures can be implemented to protect data, but HIPAA’s Security Rule has a few specific requirements for some types of implemented technology. Entities need to be aware of the following safeguards:
Access Control. A covered entity must implement technical policies and procedures that allow only authorized persons to access ePHI. Access control procedures include requirements for unique user identification, access to ePHI during an emergency, termination of an electronic session after a predetermined time of inactivity, and mechanisms to encrypt and decrypt ePHI.
Audit Controls. A covered entity must implement hardware, software, and/or procedural mechanisms to record and examine access and other activity in information systems that contain or use ePHI.
Integrity Controls. A covered entity must implement policies and procedures to ensure that ePHI is not improperly altered or destroyed. Electronic measures must be put in place to confirm that ePHI has not been improperly altered or destroyed.
Person or Entity Authentication. A covered entity must implement procedures to verify that a person or entity seeking access to ePHI is the one claimed.
Transmission Security. A covered entity must implement technical security measures that guard against unauthorized access to ePHI that is being transmitted over an electronic network, such as the use of encryption that renders ePHI “unreadable, undecipherable or unusable” so any “acquired healthcare or payment information is of no use to an unauthorized third party”.
Data Encryption Requirements
The HIPAA Security Rule calls for covered entities and their business associates to implement technical safeguards to protect all ePHI either when stored or transmitted. Specifically, the Security Rule states that ePHI is “rendered unusable, unreadable, or indecipherable to unauthorized individuals” if it has been encrypted by “the use of an algorithmic process to transform data into a form in which there is a low probability of assigning meaning without use of a confidential process or key” (45 CFR 164.304 definition of Encryption) and such confidential process or key that might enable decryption has not been breached. To avoid a breach of the confidential process or key, these decryption tools should be stored on a device or at a location separate from the data they are used to encrypt or decrypt.”
HIPAA suggests that covered entities and their business associates should follow the policies and practices tested and promulgated by NIST both when ePHI is in transit and at rest:
“Valid encryption processes for data at rest are consistent with NIST Special Publication 800-111, Guide to Storage Encryption Technologies for End User Devices.”
“Valid encryption processes for data in motion are those which comply, as appropriate, with NIST Special Publications 800-52, Guidelines for the Selection and Use of Transport Layer Security (TLS) Implementations; SP 800-77, Guide to IPsec VPNs; or SP 800-113, Guide to SSL VPNs, or others which are Federal Information Processing Standards (FIPS) 140-2 validated.”
In addition to the above, NIST has published the following publications which aim at securing ePHI:
NIST SP 1800-1, Securing Electronic Health Records on Mobile Devices: This NIST Cybersecurity Practice Guide provides a modular, open, end-to-end reference design that can be tailored and implemented by healthcare organizations of varying sizes and information technology (IT) sophistication. Specifically, the guide shows how healthcare providers, using open-source and commercially available tools and technologies that are consistent with cybersecurity standards, can more securely share patient information among caregivers who are using mobile devices.
NISTIR 8053, De-Identification of Personal Information: De-identification removes identifying information from a dataset so that individual data cannot be linked with specific individuals. De-identification can reduce the privacy risk associated with collecting, processing, archiving, distributing, or publishing information. De-identification thus attempts to balance the contradictory goals of using and sharing personal information while protecting privacy. The process of de-identification, as it pertains to PHI is described in the HIPAA Privacy Rule. It should be noted that once information has been de-identified, it is no longer considered to be PHI.
Concluding Thoughts
The healthcare sector has long been a target of cybercriminals. But most recently, as all eyes focused on the coronavirus pandemic spanning the globe, other cybersecurity threats took advantage of the overwhelmed health care system, targeting the technologies so heavily relied upon by healthcare systems and providers.
ITEGRITI helps protect some of the nation’s most critical infrastructure, serving clients in the energy, healthcare, transportation, education, retail and financial sectors. We develop and implement programs that mitigate cyber and compliance risk, supported by internal controls to measure, monitor, and report ongoing program effectiveness. Our programs help companies avoid hacks and minimize business impact during a cybersecurity event. Contact our experts to learn how ITEGRITI can help your company become HIPAA compliant.