Why it’s crucial to prioritize HIPAA compliance in 2024
Healthcare organizations remain vulnerable to advanced cyber challenges, so these steps can mitigate costly data breach risks.
Late last year, an urgent care clinic in Louisiana became the first healthcare organization in the United States to be fined by the federal government for violating Health Insurance Portability and Accountability Act (HIPAA) laws as a result of a phishing attack. The nearly $500,000 penalty was preceded by the announcement of a $100,000 fine against a Massachusetts medical management firm for HIPAA violations because of a ransomware attack.
These incidents underscore a critical reality: compliance with HIPAA isn't just a regulatory formality; it's an essential safeguard against substantial and potentially increasing financial punishments.
Rolling into 2024, the stakes are raised as cyber threats become more sophisticated, more daring and more prevalent. Protecting patient data isn't just a matter of compliance with regulations like HIPAA; it is also a fundamental requirement of patient trust and care.
It sounds like a cliché to say “it's not if, but when" your organization will experience a data breach. However, we expect to see a more significant number of hackers target healthcare organizations – both large and small – in 2024. While there is a required investment to maintain HIPAA compliance by securing your organization against nefarious attackers, the corollary is the likely event of facing even higher costs for non-compliance when the inevitable cybersecurity incident occurs.
Ensuring compliance with HIPAA laws can seem daunting, but here are three best practices that healthcare organizations of any size should be implementing to become compliant and to more effectively safeguard themselves against data breaches.
Implement multifactor authentication
MFA is a cornerstone of modern cybersecurity. Requiring multiple forms of verification by the user significantly reduces the risk of unauthorized access. This approach combines two of these three categories:
- • Something you know (such as a password).
- • Something you have (a physical item such as your personal smartphone with an authenticator app or cryptographic hardward like a Yubikey).
- • Something you are (like a fingerprint).
Consistently enforcing MFA policies increases the "impersonation resistance level" for every employee in a healthcare organization for very little capital outlay. In some cases, MFA plus biometrics is being used in tandem to provide increased security. And while smaller organizations deploy biometrics less frequently, the financial and technological hurdles surrounding this security control are being reduced.
The benefits of using biometric security systems to validate patient identities include preventing data breaches and identity theft while providing the convenience of at-home or on-the-go healthcare services.
Recently, I advised a healthcare provider on an attempted security attack for which the provider used MFA to prevent a breach relatively quickly and easily. The organization experienced multiple failed log-in attempts during off hours. Thanks to MFA, the attempted unauthorized access was thwarted as employees followed their security training advising on the importance of identifying anomalous or irregular activity patterns in connection with account log-ins. As a result, its security team knew not to authenticate these requests.
Conduct regular security awareness training
As mentioned in the MFA example, security awareness training is another must-have for protecting healthcare organizations against cybersecurity attacks. Statistics from the Dept. of Health and Human Services show 116 million people were affected by healthcare data breaches in 2023, and phishing remains one of the most common attack vectors.
Consistently training staff to recognize and respond appropriately to phishing attempts is crucial. This training should cover various types of phishing, including vishing and quishing, and provide guidelines on verifying the authenticity of requests for information. Regarding security, employees are the first line of defense, and your eyes and ears to suspicious activity.
A case in point – a healthcare organization recently avoided a major breach thanks to its staff's ability to identify a phishing email disguised as a SharePoint link from a compromised partner. This example highlights the need for continuous vigilance and education.
Regularly audit and assess security
Regularly reviewing the strength of an organization's security posture is like a health check-up for the IT environment. This involves vulnerability scans, penetration testing and auditing user accounts to ensure appropriate access levels. It's surprising how often redundant accounts or unnecessary admin privileges are revealed during audits. These are potentially unlocked doors into databases and other applications containing confidential data.
Post-breach, these assessments are even more critical. Organizations must identify how breaches occurred and harden their networks and applications to prevent future incidents. Remember, an organization that has suffered a breach is significantly more likely to be targeted again within the next six months.
Additional best practices
Along with those aforementioned suggestions, here are a few additional considerations that are critical for healthcare organizations in fortifying their cybersecurity posture and ensuring comprehensive compliance.
Extend compliance beyond HIPAA. Healthcare organizations often need to adhere to multiple regulatory frameworks. Regular assessments ensure compliance not just with HIPAA but also with other relevant standards like PCI DSS for payment processing.
Invest in cyber insurance. Cyber insurance – including data breach insurance and cyber liability insurance is strongly recommended and state laws often mandate it. It's a safety net that can cover the considerable costs associated with a breach, including lost income, forensic analysis and network rebuilding.
Conduct annual assessments. Comprehensive reviews of an organization’s security posture, including penetration testing and vulnerability scans, is advisable. This step aligns with many industry regulations and can be required to maintain cyber insurance.
Regularly update and patch systems. Stay vigilant about keeping all software, operating systems and medical devices up to date with the latest security patches. Regularly patching vulnerabilities helps prevent exploitation by cyber attackers. Establish a systematic process for monitoring and applying patches promptly, especially for critical systems handling patient data. Medical devices that cannot be patched should be segmented on the network to protect data and other systems.
By incorporating these additional measures healthcare organizations of all sizes can create a more robust and resilient cybersecurity infrastructure to increase protection and deliver better patient care.
Amber Clifton is a security consultant for Blue Mantis.