Why your security strategy must go beyond a focus on HIPAA
It is particularly important to be aware of evolving threats. Therefore, annual training is insufficient. Consider broader implementation – a variety of industry-wide standards, follow security-focused guidance and monitor ongoing developments.
The Department of Health and Human Services’ Office for Civil Rights is promoting compliance with the HIPAA Security Rule as a key step toward preventing cyberattacks or substantially mitigating their impacts. But HIPAA compliance is only one component of a good security program, which requires a much more comprehensive strategy.
When compliance is viewed as something that gets in the way of operations and is not baked into an organization’s culture, it won’t have much of an impact.
The HIPAA Security Rule is broken into three components: administrative, technical and physical. Those areas are further divided into required and addressable elements.
OCR, in promoting the value of compliance, picks examples from across the rule as helping prevent a cyberattack. Some of the specific components highlighted include staff education and access controls for systems.
The agency highlighted the need to inform the workforce about cybersecurity issues in the broader world as well as changing cyber threats. Indeed, it’s particularly important to be aware of evolving threats, so annual training is insufficient.
If educational material is only pushed out on an annual basis in a boring, uninspired fashion, then the likelihood of crucial details being remembered is quite low. But if education is pushed out on a regular basis, using current events to highlight why the news is important, there is a chance of the new threat being a part of regular discussions.
Implementing access controls involves looking at the breadth of information that an individual can access as well as the layers of control over that access.
Healthcare organizations understand that every person in an organization should not have access to all information. The scope of access should be limited to what is needed to perform one’s job function.
Using myself as an example, I have no need to access protected health information maintained by my company. I don’t have direct contact with our customers for delivering services. Given that reality, I don’t have privileges to access our databases housing PHI, and I have no expectation of getting that access.
My company also has limited PHI access by staff as much as possible, and it regularly reviews who has access. If a new employee needs access, we have a multistep request process in place to ensure that we don’t inadvertently give unnecessary access.
It’s a good start
HIPAA compliance is a good start for building security, but it can only do so much. And compliance should be far more than just a check-box exercise.
When compliance is viewed as something that gets in the way of operations and is not baked into an organization’s culture, it won’t have much of an impact. Checking a box means folks will try to do the bare minimum without thinking proactively.
It's helpful to view HIPAA as creating a sturdy foundation for security. The HIPAA Security Rule does not exactly define what measures to implement or what tools meet expected security standards. Instead, the rule identifies certain practices and controls that should be implemented. Even for required elements, organizations need to internally identify the best means of implementing the control.
The non-specific approach of the Security Rule makes sense because the rule cannot remain up to date given ever-changing technologies and risks. And a one-size-fit-all approach won’t work for the smallest clinics as well as the largest academic medical centers.
Another reason to view the HIPAA Security Rule as a foundation is that it’s driven by policy and procedure. The rule doesn’t spell out how an organization must build its technology infrastructure or how it must develop solutions. It focuses, instead, on actions and behaviors, including the need to create a written security policy.
What is true security?
If HIPAA is best viewed as a foundation, what is “true” or better security?
First, it should be acknowledged that no system can ever be fully secure or immune from attack. Breaches are inevitable because no form of security is foolproof.
Although OCR is stressing that HIPAA Security Rule compliance helps prevent or substantially mitigate most cyberattacks, building a security program that focuses mainly on compliance creates a false sense of security.
To go beyond a focus on HIPAA compliance, organizations should implement a variety of industry standards; follow security-focused guidance, especially from the National Institute of Standards and Technologies; and monitor ongoing developments.
Good security is about finding new tools or means of configuring systems and understanding that the nature of threats will change. When a comprehensive approach is taken, then security has a chance to actually protect the information being housed.
Security is a constant effort that can feel thankless and without a return on investment. However, minimizing the likelihood of a compromise or being able to cut off an attack quickly is actually a good outcome that can help maintain the reputation of an organization.
Beware of a false sense of security
Although OCR is stressing that HIPAA Security Rule compliance helps prevent or substantially mitigate most cyberattacks, building a security program that focuses mainly on compliance creates a false sense of security. Even solid compliance with the rule – deeply embedding the principles within the DNA of an organization – can only do so much.
Achieving comprehensive and up-to-date security requires looking to many other standards and areas of information. No single requirement or guidance can be a single source of truth. Instead, all available materials should be considered. Ultimately, good security is driven by the actions of each organization and all of the individuals within that organization.
Matthew Fisher is a corporate and regulatory healthcare attorney. Matt is currently General Counsel for Carium, a virtual care platform company.