- As hacking and cyberattacks continue to occur and lead to healthcare data breaches, technical safeguards become increasingly important for healthcare organizations.
Technical safeguards, as defined by the Department of Health and Human Services (HHS) in the HIPAA Privacy Rule, are “the technology and the policy and procedures for its use that protect electronic protected health information and control access to it.”
Under HIPAA, technical safeguard requirements are very flexible as to cater to the uniqueness of each individual practice.
“The Privacy Rule’s safeguards standard is flexible and does not prescribe any specific practices or actions that must be taken by covered entities,” HHS explains in a document explaining HIPAA requirements. “This allows entities of different sizes, functions, and needs to adequately protect the privacy of PHI as appropriate to their circumstances.”
That said, HIPAA still contains several suggestions for technical safeguards. In light of the several hacking and IT related health data breaches this past year, it is important for healthcare organizations to understand the measures available to them in order to fully protect from further incidents.
Protecting Against Hacking Incidents
According to the healthcare data breach database maintained by the Office of Civil Rights (OCR), the top 10 healthcare data breaches for this year were caused by hacking or health IT related incidents, highlighting an industry-wide need for better technical safeguards.
Some of the most notable hacking incidents in 2015 include the Anthem breach, the Premera Blue Cross breach, and the UCLA breach, all of which resulted in the potential disclosure of tens of millions of individuals’ PHI. Although all of these entities reportedly had sophisticated health data security measures, it is important to still review technical safeguard procedure under HIPAA guidelines.
Contrary to what one may instinctively think, HIPAA does not have a prescriptive approach to technical safeguards. This is because each healthcare organization is unique and therefore has varying needs; what may work for one organization may not work for another.
However, HIPAA still spells out a handful of suggested procedures to be adopted at varying intensities by different organizations.
In the National Institute of Standards and Technology (NIST) HIPAA Security Rule Resource Guide, NIST explains nine different measures healthcare entities can adopt to improve technical safeguards.
For example, each healthcare organization should be asking itself questions about who can access electronic PHI (ePHI) and how they can do that, examining how user controls will be managed, establishing emergency access controls, implementing automatic logoff and data encryption, and automatically terminating employee access if he or she is no longer working at the organization.
Additionally, healthcare organizations can benefit from regular security audits to assess their level of health data protection. HHS’s HIPAA Security Series states that when creating audit protocols, entities should “implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information.”
Protecting Against Phishing Scams
Phishing scams have also been growing in prevalence recently. HHS defines a phishing scam as such:
“Phishing is a social engineering scam whereby intruders seek access to your personal information or passwords by posing as a legitimate business or organization with legitimate reason to request information.”
Additionally, actors can conduct phishing schemes by sending an individual with a link and a seemingly legitimate reason to click the link, and then a virus may be downloaded onto the device.
Just this year Partners Healthcare experienced a healthcare data breach due to a phishing scam. After answering an email requesting some kind of information, the healthcare organization fell liable to an attack, eventually compromising nearly 3,300 patients’ information.
“Responding to the ‘phishing’ emails created an opportunity for unauthorized access to the workforce members’ email accounts within the Partners HealthCare network,” the statement read. “When we learned of this, we took steps to secure the email accounts and contacted law enforcement.”
The HHS Cybersecurity Program provides several common sense actions to prevent these kinds of phishing schemes. For example, the agency advises to never provide username or password information to someone over an email message.
Additionally, HHS provides guidelines for the kinds of emails to be suspicious of. If an email contains several grammatical errors, requests personal information, asks you to click a link, or is unexpected from an entity you are not affiliated with, then HHS suggests an individual be suspicious.
If one receives this type of suspicious email, HHS advises one not to click any links or attachments on it, or provide the sender any personal or financial information. Additionally, HHS requests that individuals forward these emails on to the agency’s Computer Security Incident Response Center for mitigation.
Encrypting Health Devices
Sometimes technical safeguards are vital in warding off physical threats. Such is the case with device encryption. When a device -- such as a laptop or tablet -- is encrypted, a thief will have a difficult time making sense of any of the information potentially stored on the device should the device get stolen.
However, not every healthcare organization encrypts their employee devices, and this unfortunately often leads to the disclosure of patient information.
In July of this year, an unencrypted laptop was stolen from a UC San Francisco (UCSF) employee.
Although no Social Security numbers were stored on the device, other patient information including patient names, dates of birth, medical numbers, and health insurance ID numbers may have been breached.
In light of the incident, UCSF reported it would be strengthening its physical and technical safeguards associated with all of its devices. Such measures may have included implementing encryption capabilities on all devices.
Just like several other aspects of HIPAA, encryption is a suggested measure left to the discretion of the provider. The intent behind this is to customize security precautions for unique and individual healthcare organizations.
During the HIPAA Security Series, HHS suggested that entities ask themselves the following questions when considering encryption:
Which EPHI should be encrypted and decrypted to prevent access by persons or software programs that have not been granted access rights?
What encryption and decryption mechanisms are reasonable and appropriate to implement to prevent access to EPHI by persons or software programs that have not been granted access rights?
Additionally, providers need to remember the limits to data encryption. For example, when sending information from one sender to another, encryption will only function if both senders are using the same encryption software.
Likewise, encryption only limits so many breaches of information. For example, if a laptop’s owner’s login credentials are obtained in a phishing scheme prior to device theft, the thief will be able to access the information regardless of level of encryption.
That said, encryption is still a simple method to protect information on some levels, despite its limitations.
Although there is no cure-all fix for data security, healthcare organizations can take small steps toward protecting information on various fronts. By combining different levels of HIPAA’s suggested technical safeguards, staying vigilant of phishing schemes, and employing device encryption, healthcare organizations can take small steps toward fortifying sensitive health information.