What Cyber Security is required for HIPAA?
HIPAA requires entities dealing with e-PHI to put effort into providing technical, administrative, and physical controls around their sensitive data. Ignorance of the rules is not an excuse, and intentional negligence can carry severe penalties. You can even be reported by concerned (or angry!) clients if they suspect negligence with their e-PHI.
Cyber security is a growing field for all industries as technology enables further evolution. Attackers have begun focusing their efforts on valuable data such as e-PHI. Healthcare organizations of all sizes face a new wave of strict requirements from compliance and insurance organizations across the board.
The HIPAA Security Rule
The HIPAA security rule doesn’t define strict guidelines around the specific controls that are required – but there is a defined expectation on the domains that require compliance.
Common sources of e-PHI are electronic systems in which any patient data is stored. The reliance on these networked systems by a majority of US practices means that the security rule is a near-universal requirement.
Realistically, this rule should be viewed as a requirement to utilize electronic systems with e-PHI. Protecting patient’s health information is vital in order to comply with privacy laws and trust.
Do you need to certify with HIPAA for cyber security? No – the security rule does not require certification. However, the security rule does require that assessments be performed regarding current controls.
This is not just a requirement – it’s also a recommended best practice to avoid issues with cybercrime. Annual assessments are a minimum recommendation for all organizations, regardless of industry or compliance requirements.
HIPAA Cybersecurity Specifics
The HIPAA Security Rule outlines some specific aspects that may need to be considered, primarily answered in the HHS Security Rule FAQ’s
- Are organizations expected to implement modern cyber security controls and practices?
- Yes – protecting ePHI is essential for operations. Modern cyber security controls and policies enable organizations to tackle the growing problem of cybercrime targeting healthcare more effectively.
- Additionally, attacks can lead to downtime and affect operations.
- Is there an official tool to help with the HIPAA Security Rule?
- Yes – the Security Risk Assessment Tool is provided by the Office of the National Coordinator for Health Information Technology (ONC).
- Organizations should perform either in-house or third-party cyber security assessments as they are mandatory requirements.
- Can I share e-PHI via Email?
- Yes – you can share e-PHI via email as long as you follow the requirements surrounding access control, integrity, and transmission security.
- Ensure you have an information security policy focused on preventing data exposure, tracking ePHI, and encrypting transmission at the minimum.
- Is it possible to outsource cybersecurity for HIPAA?
- Yes, outsourced cybersecurity is a great way to ensure you have a skilled team monitoring your systems and data.
- Compliance with the administrative, technical, and physical controls can be greatly accelerated by engaging a specialized firm for assistance.
Reporting a HIPAA Breach
How do you report a HIPAA breach? In order to get the most up-to-date information on reporting a HIPAA breach, we recommend checking out the HHS HIPPA Breach Notification Rule. Generally, the rule recommends evaluating the users that may have been affected and attempting to determine what may have been accessed. This can require a specialized team to investigate the incident.
“Following a breach of unsecured protected health information, covered entities must provide notification of the breach to affected individuals, the Secretary, and, in certain circumstances, to the media.” – (HHS.Gov 2021)
We consistently iterate that cyber security is important for all industries. The introduction of ePHI into an environment simply accelerates the need for more advanced data tracking and control solutions. Healthcare firms cannot claim ignorance of the rules with the amount of attention cyber crime receives on a daily basis. Make sure you perform the research on what is expected to help protect patient data – the reputation and financial harm from a breach can be disastrous.