- The push for digital health records is not going to slow down anytime soon, and as recent cases of ransomware attacks show, healthcare organizations must create comprehensive data security measures. HIPAA technical safeguards are just one key consideration for covered entities and business associates, and should be utilized as part of a larger cybersecurity approach.
Healthcare organizations must determine reasonable and appropriate security measures for their own needs and characteristics. When it comes to technical safeguards under HIPAA regulations, this could mean utilizing data encryption on mobile devices or opting for multi-factor authentication measures.
Technical safeguards are “the technology and the policy and procedures for its use that protect electronic protected health information and control access to it,” according to the HIPAA Security Rule.
“No specific requirements for types of technology to implement are identified,” the HIPAA Security Series explains. “The Rule allows a covered entity to use any security measures that allows it reasonably and appropriately to implement the standards and implementation specifications.”
Even without specific requirements, HHS still covers key areas for covered entities and business associates to review when implementing technical safeguards. Understanding the basics and reviewing potential examples of technical safeguards can greatly assist healthcare organizations of all sizes find the right security measures for their operation.
Main standards within technical safeguards
There are several overarching standards discussed within the HIPAA technical safeguards:
- Access Control - giving users rights and/or privileges to access and perform functions using information systems, applications, programs, or files.
- Audit Controls – hardware, software, and/or procedural mechanisms that record and examine information system activity that contain or use ePHI.
- Integrity Controls – implementing policies and procedures for ePHI protection against alteration or destruction.
- Person or Entity Authentication – ensuring a person’s identity before giving him or her ePHI access.
- Transmission Security – guarding against unauthorized ePHI access when data is transmitted over an electronic communications network.
Overall, technical safeguards are technology and its related policies and procedures that are implemented to help ensure ePHI security.
“The Technical Safeguards standards apply to all EPHI,” HHS stated in its guide. “The Rule requires a covered entity to comply with the Technical Safeguards standards and provides the flexibility to covered entities to determine which technical security measures will be implemented.”
However, one technical safeguard that is necessary for one organization may not necessarily be applicable for another.
Common technical safeguard options can include, but are not limited to the following: anti-virus software, multi-factor or two-factor authentication, data encryption, de-identification of data, firewalls, mobile device management (MDM), remote wipe capability.
While some safeguards (i.e. firewalls and anti-virus software) should be standard to protect against potential malware, other options will be necessary dependent on an organization’s daily operations.
For example, a small clinician’s office that does not allow BYOD may not require as strict of an MDM policy as a large hospital might need.
“A covered entity must establish a balance between the identifiable risks and vulnerabilities to ePHI, the cost of various protective measures and the size, complexity, and capabilities of the entity,” HHS noted in the guide.
What happens when HIPAA technical safeguards are lacking?
While no healthcare organization can guarantee that a data breach or security incident will never happen, utilizing the necessary safeguards can help prevent them from occurring. Additionally, HIPAA compliance can assist entities in responding to potential attacks, and working to recover from such incidents.
In April 2017, Pennsylvania-based CardioNet agreed to a $2.5 million OCR HIPAA settlement. Part of the issue stemmed from improper safeguard implementation, according to OCR.
A laptop containing ePHI was stolen from a parked vehicle outside of an employee’s home, and OCR determined that CardioNet did not have a sufficient risk analysis and risk management processes in place when the device was stolen.
A second reported data breach also involved failed mobile security safeguards, OCR noted. There were not the necessary policies and procedures on how electronic media containing ePHI should be treated. This included encrypting mobile devices and how the devices could be moved from the facility.
“Mobile devices in the health care sector remain particularly vulnerable to theft and loss,” OCR Director Roger Severino said in a statement. “Failure to implement mobile device security by Covered Entities and Business Associates puts individuals’ sensitive health information at risk. This disregard for security can result in a serious breach, which affects each individual whose information is left unprotected.”
HIPAA technical safeguards can also be greatly beneficial in preventing potential ransomware attacks. Updated software and necessary security patches could be crucial in preventing malicious third-parties from gaining access to a healthcare organization’s system.
The May 2017 WannaCry ransomware attack infiltrated more than 150 countries and caused the UK’s National Health Service to cancel certain services.
WannaCry targeted Microsoft’s Windows operating system, and also utilized the EternalBlue exploit that was allegedly developed by the National Security Agency (NSA). While Microsoft released a security update on March 14, 2017, the malware may have been able to have easier access to the systems if organizations had not yet installed the update.
Windows XP, Windows 8, and Windows Server 2003 also received updates. Those operating systems had not received security patches for in some time.
“Remote code execution vulnerabilities exist in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests,” Microsoft explained in terms of Windows SMB remote code execution vulnerabilities. “An attacker who successfully exploited the vulnerabilities could gain the ability to execute code on the target server.”
“To exploit the vulnerability, in most situations, an unauthenticated attacker could send a specially crafted packet to a targeted SMBv1 server,” Microsoft continued. “The security update addresses the vulnerabilities by correcting how SMBv1 handles these specially crafted requests.”
The WannaCry attack was a wakeup call for organizations, especially those in the healthcare sector, to ensure that they must remain current on all available patches and updates for operating systems and applications, according to ICIT Co-founder and Senior Fellow James Scott.
“If you’re using Excel, anything Microsoft, the second an update comes, you have to do it,” Scott explained in a HealthITSecurity.com interview. “Now more than ever with their vendor relationships, healthcare organizations have to have cybersecurity and updates scheduled, such as a software or patch schedule built into that contract. Some healthcare organizations are starting to do that now, but if they’re not they definitely should be.”
Covered entities and business associates need to review their policies and procedures to determine the best HIPAA technical safeguards to implement for PHI security.
Available tools and guidance can help healthcare organizations ensure they are working toward strong data security. This could involve implementing a new encryption option or another technical tool, but covered entities should understand how HIPAA technical safeguards play a role in keeping sensitive data secure.