{"id":3152,"date":"2022-02-07T13:02:07","date_gmt":"2022-02-07T13:02:07","guid":{"rendered":"https:\/\/itegriti.com\/kw022024\/?p=3152"},"modified":"2022-09-13T10:03:29","modified_gmt":"2022-09-13T10:03:29","slug":"understanding-hipaa-security-2-2","status":"publish","type":"post","link":"https:\/\/itegriti.com\/kw022024\/2022\/compliance\/understanding-hipaa-security-2-2\/","title":{"rendered":"Understanding the HIPAA Security Rule: What You Need to Know"},"content":{"rendered":"

Revised and updated for 2022.<\/em><\/p>\n

The Health Insurance Portability and Accountability Act (HIPAA)<\/a> and its supporting rules provide a comprehensive framework for safeguarding Protected Health Information. The HIPAA Security Rule becomes even more important as the healthcare sector has become more digitized over the past two years and the attack surface has expanded.<\/p>\n

What is Protected Health Information?<\/h2>\n

HIPAA defines PHI as \u201cany identifiable health information that is used, maintained, stored, or transmitted by a HIPAA-covered entity or a business associate of a HIPAA-covered entity, in relation to the provision of healthcare or payment for healthcare services.\u201d<\/p>\n

PHI includes health records, health histories, lab test results, and medical bills. Essentially, all health information is considered PHI when it includes individual identifiers. Health information ceases to be PHI if it is stripped of all identifiers that can tie the information to an individual. If the above identifiers are removed, the health information is referred to as de-identified PHI. HIPAA rules no longer apply to de-identified PHI.<\/p>\n

The Need for Safeguarding PHI in the post-COVID-19 era<\/h2>\n

As the healthcare industry has moved from physical records to electronic ones, the risk of data being accessed or viewed by unauthorized entities has increased significantly. In fact, malicious actors are targeting health data due to the increased black-market value of stolen medical records and PHI.<\/p>\n

The COVID19 pandemic has created a new reality for the healthcare sector globally testing its limits. Adding to the overwhelming situation it is currently facing, the sector has become a direct target of cybersecurity attacks.<\/p>\n

In November 2021, The FBI, along with the Cybersecurity and Infrastructure Security Agency (CISA), the Australian Cyber Security Centre (ACSC), and the United Kingdom\u2019s National Cyber Security Centre (NCSC) issued<\/a> an advisory warning the healthcare and transportation sectors about an Iranian government-sponsored advanced persistent threat (APT) group that has been exploiting Microsoft Exchange ProxyShell and Fortinet vulnerabilities.<\/p>\n

In January 2022, following a warning from Microsoft regarding the Log4J vulnerability, the HHS 405(d) Task Group issued a brief outlining the risks associated with the Log4j vulnerabilities<\/a> and urged the healthcare sector to prioritize patching and mitigating risk. Many cloud applications that healthcare organizations use for EHR services, along with other outsourced security services, frequently use the Log4J software.<\/p>\n

The HIPAA Security Rule<\/h2>\n

The Security Rule<\/a> sets national standards for protecting the confidentiality, integrity, and availability of electronic protected health information (ePHI). The Security Rule institutes three security safeguards \u2013 administrative, physical and technical \u2013 that must be followed to achieve full compliance with HIPAA. The objectives of the safeguards are the following:<\/p>\n