The HIPAA Journal estimates that a large data breach ( > 50k records) can cost the organization around $6 million – and that’s before the Office of Civil Rights (OCR) drops their own hammer. Over the last few years, we’ve seen more reports of breaches, an increase of HIPAA investigations, and higher fines across the board – all stemming from violations of the HIPAA security rule.
What is The HIPAA Security Rule?
The HIPAA Security Rule sets the minimum standards required for Covered Entities (CE) to manage electronic PHI (ePHI). To be considered HIPAA compliant, CEs need to address 3 key security zones: administrative, physical, and technical.
How Does the HIPAA Security Rule Protect Your Data?
HIPAA rules require CEs to adhere to certain processes to ensure and verify their compliance with the HIPAA Security Rule:
- Security Management Process: CEs must establish policies and procedures to prevent, detect, contain and correct security violations. Part of this process is to follow the procedures in the Risk Management Framework to assess overall risk in your current processes or when you implement new policies.
- Assigned Security Responsibility: One designated security official must be responsible for the development and implementation of the HIPAA Security Rule.
- Workforce Security: CEs must identify which employees require access to ePHI and make efforts to provide control over that access. To achieve this, implement a least privilege model and automatically enforce and manage permissions.
- Information Access Management: Restrict access to ePHI via permissions after you have identified the who should have access in the step above.
- Security Awareness and Training: In order to enforce these rules and security policies, organizations need to train their users on what the rules are and how to abide by them.
- Security Incident Procedures: This standard provides guidance on how to create a policy to address data breaches: it’s good practice regardless – report breaches and security violations, and set up alerts and security analytics so that you can prevent breaches in the first place.
- Contingency Plan: This is the “what happens next” standard. Create and follow a data backup plan, disaster recovery plan, and have an emergency mode operation plan in place, just in case things go sideways and you get breached. There’s also guidance in this standard for testing and revising these plans, as well as managing critical applications that store, maintain or transmit ePHI.
- Evaluation: Establish a process to review and maintain the policies and procedures to stay up to date and current with the HIPAA Security Rule.
- Business Associate Contracts and other Arrangements: While it’s ok to use other businesses to implement your overall HIPAA Security strategy, as with any 3rd party contractor, you must get assurances from them that they understand HIPAA and they won’t leak your ePHI.
This section of the HIPAA Security Rule sets standards for physical security: the “lock your doors” and “batten down the hatches” kind of guidance – along with what to do in case of natural disasters, naturally.
- Facility Access Controls: Limit and audit physical access to the computers that store and process ePHI. Pro tip – put a lock on the server room door.
- Workstation Use: Manage and secure computers (desktop, laptop, and tablets) that are used to access ePHI. Every computer with access to a CEs ePHI must adhere to this policy, including systems that are offsite (and offline).
- Workstation Security: Implement physical safeguards for all computers that access ePHI: restrict access to computers that access ePHI, install remote wipe safeguards on laptops that grow legs.
- Device and Media Controls: Once computers are covered, you still need safeguards on all the rest: devices and media like USB drives, tape backups, or removable storage. Establish a policy to inventory, allow the use of, and reuse or dispose of these devices as needed.
Technical safeguards as the technology and procedures that CEs use to protect ePHI. The HIPAA Security Rule does not define what technology to use, but demands that CEs adhere to the standard and adequately protect ePHI from data breaches.
- Access Control: Authenticate users as necessary to access ePHI, establish and maintain a least privilege model, and have appropriate procedures in place to audit access control lists (ACL) on a regular schedule.
- Audit Controls: Audit your ePHI to record and analyze activity in case of a data breach. CE’s need to be able to show the OCR exactly how a data breach occurred with a complete audit trail and reporting.
- Integrity: To be HIPAA compliant, CEs needs to be able to prove that the ePHI they manage is protected from threats both inside and out, intentional or not. Whether the new intern deletes a record accidentally, or a nefarious hacker deletes it intentionally, you should be able to recover and restore that record.
- Person or Entity Authentication: CEs must provide assurances that the person accessing ePHI is, in fact, who they say they are. These assurances can be a password, two-factor authentication, or retinal scan – whatever works as long as you have something implemented.
- Transmission Security: When sending data to other business partners, you need to be able to prove that only authorized individuals accessed the ePHI. You can use encrypted email with a private key, HTTPS file transfer, or a VPN – as long as only the people that are authorized to use the ePHI, HIPPA doesn’t care how you set it up.
Ensuring Compliance: HIPAA Security Rule
HIPAA doesn’t spell out what specific software to install or how to implement the requirements in the HIPAA Security Rule.
Varonis provides a 30-day free risk assessment to help get started: we’ll outline problem areas, potential violations, and a plan on how to fix them – we’ve got a proven track record of thousands of customers, many of whom deal with ePHI and HIPAA regulations on a daily basis.