Almost every industry in the world has been attacked by hackers at some point in time. The healthcare industry has been one of the most severely affected domains for some time, even to the extent of becoming the most hacked industry during 2015. According to statistics collected for the year 2017, hacking accounts for 27% of all data breaches, of which 70% intrusions were on networks owned by leading healthcare providers. During a 2-week monitoring period the Department of Health and Human Services reported six different network compromises on their website. This led to disclosure of electronic protected health information data (ePHI data) for as many as 70,000 individuals. Since then the count for cyber-attacks has been surging around 40% every year since 2009.
Why aren’t HIPAA Compliance Rules simple?
While HIPAA requirements are similar to other regulations and standards, there are two unique aspects to compliance that make them challenging:
- Healthcare Organizations must have direct access to ePHI data at all times: A healthcare organization such as a hospital must have access to ePHI data all the time. A patient who needs immediate medical attention, may not get it, because the hospital is unable to pull up the data immediately. This makes it vital to have both the application and the data available for use, at all times.
- ePHI Data must be kept secure at all times: As a compliance prerequisite, it is necessary for healthcare organizations to keep their ePHI data secure irrespective of where the data is located or if there has been a natural calamity. If ePHI data is lifted from a secondary or tertiary location, it is still a full-blown HIPAA violation, regardless of whether Hurricane Sandy has flooded the entire neighborhood or there is a cyber-attack in progress.
Unlike other industries where organizations have the option to delay coming back online by 24 or 48 hours. Healthcare organizations cannot do that, which makes adhering to their compliance guidelines more difficult.
Devising a HIPAA-Compliant Security & Recovery Program
It is essential to build an effective security program, but it is equally necessary to test it thoroughly, exercise the infrastructure, as well as assess its performance with several people, processes and systems involved in the activity. This will ensure that the company has devised a reliable recovery plan. The 4 steps, through which this can be practically achieved, are:
- Carry out a business impact analysis with disaster recovery planning to determine key sensitive data governed by HIPAA, then assess the systems which help deliver date to the end user.
- Devise a completely disparate secondary or tertiary website that ideally can quickly replicate through a cloud-based recovery mechanism.
- This ‘separate’ website must also be maintained from the production environment of the primary website. If it is maintained in the same environment, the ransomware can harm the backup data too. It is often recommended to have a third party manage this website, so that no ‘insiders’ can willingly harm the data they know a lot about.
- Engage and implement a sophisticated security and recovery program. Perform security testing of primary as well as the backup website, and also conduct regular drills to ensure the effectiveness of the recovery procedures.
For more on the best practices for protecting your organization’s protected health information, join expert speaker Stanley Nachimson in a live webinar titled ‘Cyber Attacks and Cyber Risk Management: Protecting PHI’ on Wednesday, January 11, 2017. This event will cover the key federal and state requirements to protect information, the steps providers need to take to meet regulations, the best practices for safeguarding information, and where and how to obtain further information and guidance.