Posted by Tyler Chancey, GCFA on

Tyler Chancey is a seasoned cybersecurity professional currently serving as the Director of Cyber Security at Scarlett Cybersecurity Services, With a solid foundation in Computer Software Engineering from the University of Florida, Tyler holds a repertoire of certifications that underscore his expertise. These include the prestigious Microsoft 365 Certified: Enterprise Administrator Expert and Microsoft 365 Certified: Security Administrator Associate, showcasing his mastery in Microsoft's enterprise solutions. Tyler's commitment to comprehensive security is further evidenced by his CompTIA Security+ certification, demonstrating proficiency in core cybersecurity principles. Additionally, his GIAC Certified Forensic Analyst (GCFA) credential attests to his advanced skills in forensic analysis—an invaluable asset in today's complex cybersecurity landscape. Tyler's dedication to staying at the forefront of industry standards is evident in the active pursuit and maintenance of these certifications, making him a trusted authority in the field.

HIPAA Image

What Cyber Security is required for HIPAA?

HIPAA requires entities dealing with e-PHI to put effort into providing technical, administrative, and physical controls around their sensitive data. Ignorance of the rules is not an excuse, and intentional negligence can carry severe penalties. You can even be reported by concerned (or angry!) clients if they suspect negligence with their e-PHI.

Cyber security is a growing field for all industries as technology enables further evolution. Attackers have begun focusing their efforts on valuable data such as e-PHI. Healthcare organizations of all sizes face a new wave of strict requirements from compliance and insurance organizations across the board.

The HIPAA Security Rule

The HIPAA security rule doesn’t define strict guidelines around the specific controls that are required – but there is a defined expectation on the domains that require compliance.

Common sources of e-PHI are electronic systems in which any patient data is stored. The reliance on these networked systems by a majority of US practices means that the security rule is a near-universal requirement.

Realistically, this rule should be viewed as a requirement to utilize electronic systems with e-PHI. Protecting patient’s health information is vital in order to comply with privacy laws and trust.

Do you need to certify with HIPAA for cyber security? No – the security rule does not require certification. However, the security rule does require that assessments be performed regarding current controls. 

This is not just a requirement – it’s also a recommended best practice to avoid issues with cybercrime. Annual assessments are a minimum recommendation for all organizations, regardless of industry or compliance requirements. 

HIPAA Cybersecurity Specifics

The HIPAA Security Rule outlines some specific aspects that may need to be considered, primarily answered in the HHS Security Rule FAQ’s

  • Are organizations expected to implement modern cyber security controls and practices?
    • Yes – protecting ePHI is essential for operations. Modern cyber security controls and policies enable organizations to tackle the growing problem of cybercrime targeting healthcare more effectively.
    • Additionally, attacks can lead to downtime and affect operations.
       
  • Is there an official tool to help with the HIPAA Security Rule?
    • Yes  –  the Security Risk Assessment Tool is provided by the Office of the National Coordinator for Health Information Technology (ONC).  
    • Organizations should perform either in-house or third-party cyber security assessments as they are mandatory requirements.
       
  • Can I share e-PHI via Email?
    • Yes – you can share e-PHI via email as long as you follow the requirements surrounding access control, integrity, and transmission security.
    • Ensure you have an information security policy focused on preventing data exposure, tracking ePHI, and encrypting transmission at the minimum.
       
  • Is it possible to outsource cybersecurity for HIPAA?
    • Yes, outsourced cybersecurity is a great way to ensure you have a skilled team monitoring your systems and data.
    • Compliance with the administrative, technical, and physical controls can be greatly accelerated by engaging a specialized firm for assistance.

Reporting a HIPAA Breach

How do you report a HIPAA breach? In order to get the most up-to-date information on reporting a HIPAA breach, we recommend checking out the HHS HIPPA Breach Notification Rule. Generally, the rule recommends evaluating the users that may have been affected and attempting to determine what may have been accessed. This can require a specialized team to investigate the incident.

“Following a breach of unsecured protected health information, covered entities must provide notification of the breach to affected individuals, the Secretary, and, in certain circumstances, to the media.” – (HHS.Gov 2021)

Further Considerations

We consistently iterate that cyber security is important for all industries. The introduction of ePHI into an environment simply accelerates the need for more advanced data tracking and control solutions. Healthcare firms cannot claim ignorance of the rules with the amount of attention cyber crime receives on a daily basis. Make sure you perform the research on what is expected to help protect patient data – the reputation and financial harm from a breach can be disastrous.

Learn more about HIPAA in Cybersecurity.

See Also:

Share this

Related Articles

Learn the Three Rules of HIPAA: Essential Guidelines for Security and Privacy

What HIPAA Compliance Consultants Do and Why Healthcare Organizations Need Them

Preventing and Responding to Million Dollar Phishing Attacks - Two Local Governments Hit 2 Weeks Apart