Category: Healthcare

Escalating Risks to Healthcare Data

The challenges of securing medical devices from cyberattacks made headlines again last week as the U.S. Food and Drug Administration (FDA) warned that some insulin pumps made by Medtronic MiniMed may be at risk for a cybersecurity breach. In response, Medtronic recalled the affected Minipumps and is providing patients with alternative pumps.
As the healthcare industry quickens its pace toward incorporating more IoT devices and wearables for the sake of improved patient care, there is also a clear downside to the trend. The connectivity inherent in these same medical devices can also pose a serious threat to patients and providers. Device vulnerabilities can lead to security breaches that could potentially impact the safety and effectiveness of the device. Due to the high value of healthcare data, the risks are escalating rapidly.
Weighing Risks and Rewards
Healthcare organizations and patients alike must weigh the risks and rewards of relying on such medical devices the same way they already consider the pros and cons of their network connected endpoints. Laptops, tablets and phones have proven to be a critically important piece to delivering cutting-edge patient care as well as growing organizational efficiency. For large hospitals, small doctors’ offices and every healthcare provider in between, mobile medical technology is how modern patient care is delivered.
But securing patient data — including personal information, payment details, health histories and more — on vulnerable endpoints has long been a real problem for the industry. More than 2 million people saw their information exposed via a healthcare data breach in May alone.
Government regulations that oversee the protection of personal information — including HIPAA and a host of others — are busy trying to keep up with breach investigations. Large fines are regularly doled out, yet the pilfering by hackers continues at a relentless clip. At the same time, security spend is also on the rise, motivated by organizations scrambling to fend off attackers.
Read: The State of Endpoint Health in 2019
Now What?
A strong security posture must start with unparalleled visibility — because you can’t secure what you can’t see. This is the approach Allina Health, the major healthcare provider for the state of Minnesota took when they implemented Absolute across their more than 10,000 devices.
With Absolute, Allina Health can see all of their devices, whether they are on the network or not, identify devices that are missing or not being used, and prove that security controls such as patch management, antivirus and encryption are always in place. In addition, Allina Health has been able to save over one million dollars by identifying underutilized assets, prove compliance with HIPAA by validating that encryption is in place on all devices, at all times, and achieve 95 percent laptop auditing accuracy.
“I sleep better at night knowing that if a device goes missing, we have the tools and services that Absolute provides to track it down…and validate that encryption was in place [when the incident occurred],” said Danielle Bong, IT Asset Manager, Allina Health.
Healthcare endpoints are key to providing better patient care and improving organizational efficiency – security improvements must be made for the benefit of everyone but the hackers.
To learn more about how Allina Health uses Absolute, download our case study: Allina Health Ensures HIPAA Compliance.
 

5 Cybersecurity Healthcare Tips

HIPAA Compliance Awareness During National Nurses Week 2019
If saving lives and caring for the sick aren’t already steep enough responsibilities, today, the sophisticated world of cybercrime has thrust the healthcare industry, and the medical professionals that work within it, into its crosshairs.
Healthcare and the Digital Workspace
That means on-the-go nurses — with laptops and tablets in hand that often contain sensitive, HIPAA-regulated data — are subject to all the cyber risks that apply to those devices. Healthcare organizations, like all businesses that are adapting to the modern digital workplace, need to see and understand the risks to endpoint devices and the data on them.
In recognition of National Nurses Week and to support all that is asked of these hard-working, caring professionals, here are a 5 tips for how healthcare organizations can apply a cybersecurity-centric mentality to the job.
5 Cybersecurity Healthcare Tips

Educate all staff — To mitigate the risk of employee mishap and misuse, train staff on the importance of data security. Implement a well-communicated policy on how and when to report missing devices, suspicious email trends and device irregularities and maintain enforceable repercussions for intentional infractions. Read: Healthcare Cybersecurity and Data Security in 2019 for insight into this year’s top threats.
Help the C-suite understand — Appoint a CISO or Data Protection Officer to be responsible for your organization’s data security. This person should oversee HIPAA compliance initiatives and ensure data security is a regular topic at Board meetings.
Take back control of your endpoints — When endpoints go rogue or become invisible due to faulty security agents, you need to act fast. Absolute’s proprietary Persistence® technology is embedded in the firmware of more than 70 percent of the world’s endpoint devices. Because it’s the only embedded security solution, it is the only cloud-based platform that maintains a persistent connection to devices, regardless of user behavior or device performance.
Add resiliency to security solutions — The 2019 Endpoint Security Trends Report found that more security does not equate to more secure devices. In fact, much of organizational endpoint security spend is wasted on solutions that simply don’t work due to missing or broken agents or disabled controls. Rather than throwing good money after bad, IT and security teams should instead strive to reduce complexity on the endpoint and focus on ensuring that existing security tools are fortified, more resilient, and less inclined to fail.
Get real about real-time evaluation and response — Your organization should be able to evaluate its security posture in real time to ensure all devices are patched for known vulnerabilities, whether on or off the network. When new vulnerabilities crop up (and they will), your IT team should be in a position to proactively address these emerging threats with data controls and/or patch distribution. According to a Ponemon study, 425 hours are wasted each week by IT teams chasing false negatives and false positives.

Focus on What Works
There isn’t a single checkbox healthcare organizations can make to secure data. Layering on all the security tools in the world won’t guarantee total data security either. Instead, maximize the resources you already have – your people, your processes and your controls. A concerted effort across each of these five areas listed above will provide a solid foundation from which to build for the benefit of patients, medical staff and the organization as a whole.
If you’d like to learn more about how to protect your organization and medical staff from today’s cyber threats, get our latest case study, Apria Healthcare Delivers Secure Health Solutions with Absolute.  And, in great appreciation for all healthcare professionals, we extend our heartfelt thanks.

In Clinic or In a Patient’s Home, Apria Healthcare Keeps Data Secure

Healthcare technology — which includes everything from medical staff tablets to monitoring devices, patient sensors and even prosthetics — is increasingly reliant on an interconnected network. The interconnectedness enables improved patient care but it also opens the door for added vulnerabilities. As cyber crime skyrockets across the healthcare industry, one of the nation’s leading home respiratory services and medical equipment provider, Apria Healthcare recognized the risks early on and implemented Absolute to better secure their patient data.
Headquartered in Lake Forest, California, Apria operates more than 400 locations servicing 1.8 million patients per year through in-home care and 24/7 clinical services. In order to support home-healthcare — by far the fastest growing healthcare sector at an annual growth rate of 7% largely due to its potential for improved care at a reduced cost — Apria’s 8,000 employees rely heavily on mobile devices. For Apria therapists to better access critical patient data while in a patient’s home and therefore deliver improved care, the organization deployed a fleet of tablets protected with Absolute.
Read: Why Data Privacy in Healthcare Matters
Unbreakable Visibility & Control
With Absolute Persistence® technology installed, Apria gained unbreakable endpoint visibility and control. They now have a reliable, two-way connection to each device and can remotely monitor the status of their devices to avoid a healthcare data breach. They can also track device location if one was ever lost or stolen.
To make that data meaningful, Apria has created several groups of employees based on their location and function, with automated alerts if details (like username or location) change unexpectedly. Apria is then able to investigate and remotely freeze or wipe the device, as needed.
“Each of our devices is tied to an individual,” said Janet Hunt, Senior Director, IT Quality & Support Services, at Apria. “With Absolute, we can establish groups that we categorize by employee, location, and function.”
Apria is now confident in their ability to see and control all of their devices and secure sensitive information, keeping them in compliance with HIPAA and other health regulations. They can track and report on inventory, device location and activity — no matter where the device is located.
“Absolute is the number one priority for our CIO,” Hunt said. I can’t verbalize how important this is to my company and how much more effective we’ve become at securing our healthcare data.”
To find out how the Apria Healthcare uses Absolute to secure patient information, gain visibility into device location and activity and improve access to patient care in the field, check out the case study or read up on our healthcare solutions.

10 Future-Proof Cybersecurity Tips for Healthcare

The threat of cybercrime can be felt most strongly where its impact is most acute. Although threats are very real to all industries – including critical infrastructure, government, financial services and others –healthcare has the biggest target on its back today. These threats have been steadily rising for many years and last year was no exception. See the 15 largest health data breaches of 2018. What can you do to bolster stay safe in 2019? Here are 10 future-proof cybersecurity tips for your healthcare organization.
Individual Impact
The impact of data breaches on organizations is significant, with healthcare data breach costs ranking the highest of any industry at $408 per breached record. But what about the impact to a patient? What happens when patient data is used in medical identity theft for years, only discovered when the collections agency comes calling? Or worse, when a patient receives incorrect medical care because the medical record is compromised by false updates? What happens to the patient who enters the hospital for care only to find all hospital systems shut down by ransomware? What happens to the patient if his pacemaker or MRI machine is hacked?
Risky Technology
Healthcare technology is continually advancing with the goal of improving patient outcomes, and yet many technologies are being deployed before security concerns can catch up. We trust that we’ll receive the best care possible from our doctors, but we’ve only just begun to feel the impact of cybersecurity threats on patient care. So, what can healthcare organizations do to improve this escalating situation?

Review all contracts — Healthcare organizations today are large and complex systems, with many ‘smaller’ entry points through partner systems or vendors. Security standards must be reviewed regularly and a process put in place to promptly report data breaches by all partners and vendors. Organizations should make sure that they have the contractual rights to insist on security standards for vendors.
Formalize breach notification process — Include both detection and response capabilities and consider purchasing special insurance. Under GDPR requirements, organizations must report a data breach within 72 hours. Read: 5 Tips for Compliance Officers Dealing with GDPR.
Rehearse your data breach plans — Make sure your organization can report on the consequences of a breach in a timely manner.
Maintain endpoint visibility — Ensure firmware and software can be updated against vulnerabilities and alerts can be issued if a device goes missing, misses an update or shows signs of tampering.
Protect legacy technology — The reality of limited budgets in healthcare means that many legacy systems remain unsupported and that could place the entire network at risk. Isolating these systems or building protections around legacy systems can serve as a temporary safeguard until systems can be modernized.
Automate detection and response capabilities — A recent Ponemon study found that traditional endpoint security approaches are costing enterprises more than $6 million in poor detection, slow response and wasted time. Security solutions should be automated to detect and contain threats with minimal human input or intervention.
Add resiliency to security solutions — How can you ensure that your current security controls cannot be tampered with by malicious or insider activity? This resiliency is available through Absolute’s persistence technology.
Help the C-suite understand — Appoint a CISO or Data Protection Officer to be responsible for data security and ensuring data security is a regular topic by the Board, a key differentiator in reducing security gaps.
Educate staff — Train them on the importance of data security to mitigate the insider threat. Have a well communicated policy on how and when to report lost devices or suspicious texts or emails and enforceable repercussions for infractions.
Conduct regular compliance reviews — GDPR lays out stringent data protection requirements, as does HIPAA and HITRUST. Be proactive in identifying and rectifying issues. Read: HIPAA Compliance Checklist for 2019

Patient medical records are now the #1 target for cyber criminals. And healthcare organizations are legally required to protect their PHI, even as it leaves their systems and goes to other covered entities.
For more on how you can prevent data breaches, read about actionable strategies in the whitepaper, Data Breach Prevention for Healthcare: A Best Practice Guide.

Why Data Privacy in Healthcare Matters

Data privacy in healthcare is much more than a regulation checkbox. It directly correlates to a sustainable, successful global healthcare system. In the continuous battle for better patient care and a business model that makes healthcare more affordable, information is king.
The Rising Cost of Healthcare
According to a study published by the Journal of American Medical Association (JAMA), the rising cost of healthcare is due to five primary factors:

Population growth
Population aging
Chronic disease prevalence
Use of medical services
Service price and intensity (i.e. pharmaceutical drug prices)

These factors drive healthcare spending – which is skyrocketing. By 2022, global healthcare spending is expected to reach to just over $10 trillion annually worldwide. In the U.S. alone, healthcare spending rose nearly a trillion dollars over the past ten years.
The rising costs hurt consumers of course (as anyone who has been to the doctor lately can tell you), but they are also a painful reality for healthcare organizations. Administrators must determine how to deliver the best possible patient care, while remaining in the black.
Data is the New Healthcare Currency
In the search for a more sustainable business model to meet these competing demands, many geographies, the U.S. included, are now seeing an industry shift from the volume-based, fee-for-service model to a more patient-centric, value-based approach. The rationale behind it is that a sick person is already an expense; whereas to focus on wellness, prevention and early intervention is a mutually-beneficial partnership that reduces costs over the long-term.

To deliver on value, healthcare organizations must rely heavily on digital technologies, clinical innovations, virtual care and plenty of patient information. At this intersection, we find the increasingly-common phrase, ‘data is the new healthcare currency.’ For this reason, data privacy belongs at the center of any conversation about the business of health care.
Patients expect it. Regulators require it. Your reputation depends on it.
Valuable Data in a Growing Attack Vector
Beyond the value healthcare providers assign data for the purpose of patient care, cybercriminals also find great value in healthcare data records. One report says electronic healthcare records (EHR) are valued at $250 per record on the black market compared to the next highest priced record – a credit card – at just $5.40. With that kind of money in play, healthcare is a particularly attractive target for most hackers. It makes sense, then, that healthcare organizations see an average of 32,000 intrusion attacks per day, per organization as compared to 14,300 attacks per organization in other industries.
And the possibilities for cybercriminals to attack are growing as healthcare organizations’ threat surface expands. Caregivers and employees are more mobile, partnerships with third parties are more common, and medical devices are increasingly complex with new IoT technology.
Read: Are Hacked Medical IoT Devices Ransomware’s Next Target?
Cost of a Data Breach
An attempt at your data is likely, and once breached, it will be costly. In their Annual Cost of a Data Breach Study 2018, the Ponemon Institute identified breach resolution costs (including detection and escalation, notification, post data breach response and lost business) to be highest for the healthcare out of any industry by far at $408 per record. The industry ranked second is financial services at a considerably lower price point of $206 per record.
These numbers don’t include regulatory fines that inevitably result with a confirmed breach. How non-compliance is handled is unique county-to-country but none of the fines come cheap. As regulations continually evolve and penalties multiply, it’s clear that data privacy needs to remain a top priority.
To learn more about how to avoid a costly breach and embrace the digital healthcare revolution, download the whitepaper: The Cost of a Data Breach in Healthcare.
 

Healthcare Cybersecurity and Data Security in 2019

Healthcare has rapidly evolved from a traditionally paper-based industry to one that has embraced digital in almost every way. The growth of technology and patient care has subsequently thrust the industry into the spotlight when it comes to protecting sensitive information.  Healthcare cybersecurity and data security in 2019 is one of the top issues facing the healthcare industry.
State of Cybersecurity in the Healthcare Industry
The amount of endpoints on healthcare networks is growing exponentially, especially with the popularity of both personal and corporately-owned mobile devices. Add in a host of IoT devices such as printers and smart appliances, and the potential for trouble is significant. The good intention motivating these devices is improved productivity. However, when you combine the device proliferation with healthcare organizations’ legacy systems and inadequate security budgets, it becomes a pervasive interoperability problem.
To make matters worse, employees who lose devices or see them stolen, click on a phishing link or inadvertently send Personal Health Information (PHI) across insecure channels only exacerbate the issue. You’re left with a recipe for embarrassing, costly leaks of sensitive data — not to mention the likelihood of hefty fines from HIPAA and HITECH regulations.
The need for better endpoint visibility and control has never been greater.
Why is Data Security the Biggest IT Concern for Healthcare Organizations?
While there are countless complex challenges facing healthcare IT professionals, it’s almost unanimous that security is at the top.
By widely adopting electronic information systems, any organization that does business in the healthcare industry has increased its risks regarding sensitive patient data protection. This is not lost on hackers, who have adapted their methods and tactics to monetize their attacks by seizing control over healthcare data, encrypting data and asking for ransom. This attack, known as ransomware, hits the healthcare industry particularly hard.
The pervasive vulnerabilities that threaten our ability to protect confidential data is a huge concern for healthcare decision makers. The numbers explain why.
The Protenus Breach Barometer for the third quarter of 2018 reports a total of 4.4 million patient records compromised in 117 health data breaches, with the number of affected patient records increasing in each quarter.
According to the Cost of a Data Breach Report conducted by the Ponemon Institute and IBM, the average healthcare data breach costs $408 per record — the highest of any industry for eight straight years. At almost triple the cross-industry average of $148 per record, it is obvious that cyber and data security is one of the most critical concerns for the industry.
Perhaps the biggest concern, however, is this: as organizations place more medical devices onto their networks, those IoT devices are also vulnerable to attack, and can even endanger the lives of their patients.
Most Common Cybersecurity Threats in Healthcare
The number of threats facing the healthcare industry is only going up. We’ve touched upon a few of the main threats already, but it’s a good idea to categorize them into four main groups — all of which can jeopardize PHI or ePHI, the cornerstone of healthcare data.
Ransomware
We discussed ransomware in the previous section, and because it dwarfs all other types of cyber-attacks facing healthcare companies, we’re listing it first.
Security experts agree that phishing emails, the primary method for launching a ransomware attack, will persist and prey on the healthcare sector.
Insider Threats
This one may not seem as obvious, but the threat is real.
So real, in fact, that a Verizon 2018 Protected Health Information Data Breach Report by Verizon found healthcare to be the only industry in which internal actors represent the biggest risk to an organization. The study also reports 58% of all healthcare data breaches and security threats are caused by insiders, anyone with access to healthcare resources and important data. 
IoT Healthcare Attacks
As Internet-connected medical devices are adopted on a much grander scale each year, IoT is going to be a huge issue for healthcare. On the one hand, hospitals and other providers benefit from IoT’s medical advancements and infrastructure improvements. On the other hand, most IoT devices are not built with cybersecurity as a default.
In fact, hacked medical IoT devices may be used to launch ransomware attacks.
Due to the severity of risks involved, IoT security mustn’t be overlooked.
Supply Chain Attacks
You may have the best security in your organization or network, but what about your suppliers, service providers, partners, or business associates who have access to your data? Those networks or systems may not be as secure. Hackers can and will focus on these weaker networks.
A supply chain attack is when a hacker exposes one of the weak links in your supply chain and leverages it as a form of indirect access into your network. Hackers are always looking for backdoors, and the supply chain is often their way in, either through insecure networks, software or hardware.
Interesting fact: in a recent CrowdStrike survey, 84 percent of healthcare respondents agree that “software supply chain attacks have the potential to become one of the biggest cyber threats to their industry.”

3 Ways to Improve Healthcare Data Security
Maintaining control over critical PHI or other sensitive data isn’t easy, but if healthcare organizations make a concerted effort to follow these three approaches they should be ahead of the game.
1. Take Back Control Of Your Endpoints
When endpoints go missing or show cause for concern, you need to act fast and smart. Failing to act quickly puts you at risk of exposing your organization to ransomware attacks and security breaches.
The fact is, laptops at a healthcare organization often go missing for months before the loss is detected in a yearly IT audit. Your efforts need to be focused on reshaping this critical flaw in oversight. When a device misses an update, goes missing or shows signs of tampering, you need to make sure red flags go up immediately so you can deal with it ASAP.
2. Strengthen Your Security Posture
Organizations should consider investing in endpoint controls and applications to protect their most critical assets. In doing so, you ensure your applications are running smoothly and have not been tampered with. Critical applications such as VPN, antivirus, encryption, device management and other controls are too easily compromised by malware, corruption or negligent users and often leave IT and security pros flying blind.
Improving visibility and control to the endpoint can help patch these holes in a healthcare security environment that might otherwise render existing and new security layers ineffective.
3. Get Real About Real-Time Evaluation and Response
Your organization should be able to evaluate its security posture in real time to ensure all devices are patched for known vulnerabilities, whether on or off the network. When new vulnerabilities crop up (and they will), your IT team should be in a position to proactively address these emerging threats with data controls and/or patch distribution.
According to a Ponemon study, 425 hours are wasted each week by IT teams chasing false negatives and false positives. By following these approaches, it’s estimated organizations can save an average of $2.1 million annually in time saving. Even better, they’ll have a greater chance of preventing a costly breach.
Finally, risk analysis should be an ongoing process that checks the following boxes for covered entities: regularly review records to track access to ePHI and detect security incidents; periodically evaluate the effectiveness of security measures put in place; and regularly re-evaluate potential risks to ePHI.
We hope you’ve found several takeaways here, and are in a better position to improve your healthcare cybersecurity posture. If you need more strategic tips, be sure to check out our HIPAA Compliance Checklist for 2019.

Avoid Security Breaches in Healthcare with Data Visibility

Security breaches in healthcare are rampant. Just one month into 2019 and the Office for Civil Rights (OCR) already has plenty of new Health Insurance Portability and Accountability Act (HIPAA) compliance violations to investigate. The well-known ‘wall of shame’ data breach portal shows that in January alone more than 350,000 individuals have had their protected health information (PHI) compromised by a data breach. The reported causes of these healthcare security breaches are:  hacking, theft of lost/stolen devices, unauthorized access/disclosure, and improper disposal.
The Cost of a Healthcare Data Breach
Healthcare IT security continues to be a growing issue. Not only has the number of victims increased, so has the cost to those involved. According to Ponemon Institute, healthcare data breach costs are the highest of any industry at $408 per record. In 2018, we saw the largest fine ever handed out by the OCR since they began enforcing HIPAA compliance when health insurer Anthem Inc. was ordered to pay $16 million in October.
Read The Cost of a Data Breach in Healthcare
Why is healthcare hit so hard? Healthcare is data and all of it – personal, familial and financial information – is highly valued by cyber criminals. Add to that the organizations themselves are typically large, distributed, and often encumbered by legacy systems and/or inadequate security budgets, making them an easy target in too many cases.

Faced with these and other challenges, it is increasingly important that healthcare organizations make the most of their security investments. But that doesn’t that mean layering on every new tool is the right answer —for strong security or for compliance. Many organizations wrongly assume that deploying a host of security technologies inevitably ensures compliance when, in reality, the safer bet is to start with the data and knowing where it resides.
The Burden of Proof for HIPAA Compliance
To be HIPAA compliant, the Department of Health and Human Services (HHS) requires that covered entities specify “technologies and methodologies that render PHI unusable, unreadable, or indecipherable to unauthorized individuals,” through either encryption and/or destruction. It falls to healthcare organizations to supply proof of data encryption or proof of destruction in order to avoid being liable for non-compliance.

The challenge is that you can’t secure (in this case encrypt) or validate for devices you can’t see. Visibility into the health and efficacy of your endpoints is a key element in remaining HIPAA compliant. Identifying all of your endpoints —even those that are inactive — also happens to be the starting point to a solid security program too.
Devices are re-imaged, users disable apps, registry files become corrupted, and devices leave the protection of the network. All of these ‘dark’ devices remain outside the control of IT, posing a significant threat to data security and HIPAA compliance. Moreover, in the event of a security incident, these devices may no longer have the technology needed to prevent the incident from escalating to a full-scale data breach.
Would you be able to validate your data security at the exact moment of an incident? Quantify the extent of your organization’s dark endpoint problem by starting with this free assessment. And, if you would like more information on effective steps to protect your healthcare data, watch this webinar with Absolute and SANS Institute, 7 Steps to Protecting Data in the Era of Digital Care.

What is HIPAA Compliance and Why is it Important to Healthcare Security?

If you are involved with the healthcare industry, you’ve probably heard of HIPAA, the Health Insurance Portability and Accountability Act. Regulations and best practices surrounding HIPAA can be confusing, but it’s critical that anyone connected to the healthcare industry understand at least the basics.
So we’re here to break things down for you.
First, and perhaps most important, is to answer one of the most commonly asked questions:
What is HIPAA compliance?
HIPPA Compliance Definition
Through ongoing regulations, HIPAA compliance is a living entity that health care organizations must implement into their business in order to protect the privacy, security, and integrity of protected health information. HIPAA compliance requirements are discussed near the end of this post.
Before we continue, three more acronyms need to be highlighted which figure prominently in the definition:

PHI = Protected Health Information
HHS = Department of Health and Human Services
OCR = Office for Civil Rights

HIPAA’s regulatory standards were created to establish the legal use and disclosure of protected health information (PHI). The Department of Health and Human Services (HHS) regulates compliance, and the Office for Civil Rights (OCR) enforces compliance.
The OCR also provides ongoing guidance on developments affecting health care and is responsible for investigating HIPAA violations.
Need a HIPAA compliance checklist? Absolute’s got you covered! 
Decoding PHI
While HHS and OCR are self-explanatory, PHI requires further explanation.
Protected Health Information (PHI) is the combination of one’s identifying information — such as your name or address) — and any health-related data collected from a healthcare practitioner or facility, such as your medical record, any conversations with providers, or billing/insurance information.
PHI is anything that contains both your Personally Identifiable Information (PII) and your health information.
For example, if we know that Sheldon Cooper is diagnosed with obsessive-compulsive disorder, that’s PHI. Why? Because it contains PII — Sheldon Cooper, and also health information — obsessive-compulsive disorder. Sheldon’s PHI would, therefore, be protected by HIPAA.
One more definition: ePHI, electronic protected health information, is when PHI is transmitted, stored, or accessed electronically. ePHI falls under the HIPAA Security Rule, a HIPAA regulation addendum which came into effect to address the rapid changes in medical technology and how health records are stored.
Why HIPAA is Important
There are countless reasons why HIPAA is important, but the key takeaways are these: it aims to ensure privacy and confidentiality; it allows patients access to their healthcare data; and also reduces fraudulent activity and improves data systems. It all boils down to data security.
For healthcare organizations, HIPAA provides a framework that safeguards who has access to and who can view specific health data while restricting to whom that information can be shared with. Any organization dealing with PHI must also have physical, network, and process security measures in place to be compliant.
Even subcontractors and any other related business associates must be compliant.
HIPAA is there to protect individuals and to ensure everyone has full access to a copy of their personal medical records. It is ultimately a civil rights issue. It mandates data protection for anyone who creates, stores, transmits or uses individually identifiable health information.
All healthcare entities and companies which handle, store, maintain, or transmit patient health information are expected to be in complete compliance with the regulations of the HIPAA law.
By adhering to HIPAA laws, providers can save millions of dollars annually just by properly managing security risks.
David Harlow, an attorney, and consultant specializing in healthcare data and digital health matters, states that HIPAA should be seen as the minimum standard regarding privacy and security standards and protections. “Simply complying with HIPAA is not enough,” he said. “There are more stringent state laws (which vary, state to state) and some industry best practices which are more protective of patient data.”
What are HIPAA Guidelines
With HIPAA, there’s a lot of information to digest when it comes to the guidelines providers must follow to be compliant. What’s most important — and what we will be focusing on — is to clarify what HIPAA violations are, as well as to define what it means to be HIPAA compliant.
For specific guidelines, we recommend the official HIPAA site — a useful resource from the U.S. Department of Health & Human Services.
HIPAA Violations
A HIPAA violation occurs when there is a breach of an organization’s compliance program in which the integrity of PHI or ePHI is compromised.
It’s important to note that data breaches are not the same as HIPAA violations. A data breach can also be a HIPAA violation, but only when that breach is caused by a breakdown in the HIPAA compliance program or by a specific violation of an organization’s HIPAA policies.
For example, a data breach would be if a laptop belonging to an organizations’ doctor is stolen and that laptop contains unencrypted access to medical records. If that organization did not have a policy which stated laptops couldn’t be taken offsite then it would also be a HIPAA violation.
According to Harlow, publisher of HealthBlawg, enforcement of violations is likely more limited to cases in which there has been a data breach. In his definition, a data breach is when PHI is released to or obtained by a third party without the patient’s authorization, other than for purposes of treatment, payment or healthcare operations.
“We can learn from cases where the OCR has entered into settlement agreements with Covered Entities (practitioners) or Business Associates (third parties) that have experienced data breaches,” he said. “The settlement agreements are made public, together with case summaries. From my perspective, it is critical that the regulated community understand and appreciate that the weakest link is the often the human link.”
One data breach we can all learn from is the Anthem Insurance Company hack, which relied on an unsuspecting employee clicking on a link in a phishing email.
“Staff must be trained and tested, and systems and failsafes must be put into place,” said Harlow. “Hundreds of millions of dollars of remediation costs, class action settlement payments and fines were paid out by Anthem as a result of that click.”
He advises that the government does not discriminate when enforcing the rules, as they will fine the small entities along with the large companies. Perhaps not in millions of dollars, but significant sums nonetheless.
To further break down the takeaways from healthcare security breaches, you’ll find some great lessons here from Josh Mayfield, Absolute’s Director of Security Strategy.
Finally, it’s critical to point out that if you’ve been breached, you need to report the breach in a timely manner. In 2017, OCR brought about its first HIPAA settlement for a violation of the Breach Notification Rule levying a $475,000 fine against Presence Health for failure to properly follow the rule.
Common HIPAA violations include:

Stolen smartphones, laptops or USB devices
Cyber hack or attack, including malware incidents and ransomware attacks
Business associate breach
Electronic health record (EHR) breach
Office break-in
Sending PHI to the wrong patient/contact
Discussing PHI outside of the office
Social media posts

HIPAA Compliance Requirements
This compliance list represents a baseline for processes that businesses should be following:

Self-Audits
Remediation Plans
Policies, Procedures, Employee Training
Documentation
Business Associate Management
Incident Management

While all of these are important, Harlow recommends focusing on the need to address the privacy and security of PHI holistically, through continuous review and improvement of systems, policies and procedures, training and implementation.
“This is not a ‘set it and forget it’ sort of compliance exercise,” he said. “I would also emphasize that the HIPAA rules are written as flexible standards that are to be implemented based on the size and nature of the covered entity or business associate.” For instance, Amazon’s compliance program for its HIPAA-compliant cloud services will not be the same as the compliance program implemented by a multi-specialty physician practice.
At the end of the day, complying with HIPAA regulations may seem tedious, but in today’s threat landscape we all need to practice proper security hygiene anyway to protect ourselves.
The ramifications of not doing so are too severe to ignore.
We’ve covered plenty of ground, but to learn even more about achieving HIPAA compliance and how Absolute can help your business, download our white paper here.

HIPAA Compliance Checklist for 2019

HIPAA was adopted in 1996 and since then, Covered Entities (CEs) have been required to protect individuals’ personal health information or face hefty fines for non-compliance. The U.S. Health and Human Services Office for Civil Rights (OCR) enforces HIPAA; the fines they have issued have grown exponentially in recent years.
Anthem, one of the nation’s largest health benefits companies, paid a record $16 million in 2018 for a data breach that exposed the electronic protected health information (ePHI) of 79 million individuals. The next largest settlement was $5.5 million paid by Memorial Healthcare Systems in 2017 for the inappropriate access of PHI of 115,143 individuals.
With increasingly severe HIPAA non-compliance fines on the line, healthcare organizations must exercise extreme diligence in the protection of PHI. But it isn’t an easy task. Compliance requires that CEs adhere to two primary rules: the HIPAA Privacy Rule, which details which data must be protected, and the HIPAA Security Rule which establishes how that data is protected.
The Privacy Rule defines identifiable health information as demographic data that relates to:

an individual’s past, present, or future physical or mental health or condition
the provision of healthcare to the individual
the past, present, or future payments for the provision of healthcare to the individual

The Security Rule outlines three categories of safeguards – administrative safeguards, physical safeguards and technical safeguards – to help you ensure data is protected and standards are followed accordingly.
Achieving and maintaining HIPAA compliance requires both thoughtful security and ongoing initiative. While there is some irony in providing a compliance checklist when we often hear ‘compliance is much more than checking a box,’ there are program elements that can – and should – be checked off. When marked complete, your level of confidence in your organization’s HIPAA adherence will increase.

The below 7 areas have been excerpted from the OCR’s recommended essential elements of an effective HIPAA compliance program.
Complete the following assessments / audits and be able to provide all appropriate documentation that they have been conducted for the past 6 years.
[ ] Security Risk Assessment
[ ] Privacy Assessment
[ ] HITECH Subtitle D Audit
[ ] Security Standards Audit
[ ] Asset and Device Audit
[ ] Physical Site Audit
Educate staff.
[ ] Have all staff members undergone annual HIPAA training, and do you have documentation to prove that they have completed annual training?
[ ] Is there a staff member designated as the HIPAA compliance, privacy and/or security officer?
[ ] Have all staff members received security awareness training and do you have documentation to prove they have completed it?
[ ] Do you provide periodic reminders to reinforce security awareness training?
Conduct risk analyses to assess whether encryption of electronic protected health information (ePHI) is appropriate and provide documentation on the decision-making process.
[ ] If encryption is not appropriate, have you implemented alternative and equivalent measures to ensure the confidentiality, integrity, and availability of ePHI?
[ ] Have you implemented controls to guard against unauthorized accessing of ePHI during electronic transmission?
Implement identity management and access controls.
[ ] Have you assigned unique usernames/numbers to all individuals who require access to ePHI?
[ ] Is access to ePHI restricted to individuals that require access to perform essential work duties?
[ ] Have you implemented policies and procedures for assessing whether employees’ access to ePHI is appropriate?
[ ] Have you developed policies and procedures for terminating access to ePHI and recovering all electronic devices when an employee leaves an organization or their role changes?
[ ] Does your system automatically logout a user after a period of inactivity?
Create and monitor ePHI access logs.
[ ] Routinely monitor logs to identify unauthorized accessing of ePHI.
[ ] Implement controls to ensure ePHI may not be altered or destroyed in an unauthorized manner.
Develop policies and procedures for the secure disposal of PHI.
[ ] Develop policies and procedures for rendering PHI unreadable, indecipherable and incapable of being reconstructed.
[ ] Develop policies and procedures for permanently erasing ePHI on electronic devices when they are no longer required.
[ ] Ensure all devices that store PHI are stored securely until they are disposed of in a secure fashion.
Define a clear process for security incidents and data breaches.
[ ] Ensure you have the ability to track and manage all incident investigations.
[ ] Be able to provide the required reporting of minor or meaningful breaches/incidents.
[ ] Implement a procedure by which employees may anonymously report a privacy/security incident or potential HIPAA violation.
Successfully completing this checklist does not guarantee your organization is HIPAA compliant – nor does it ensure that your organization will avoid potential data breaches. However, it will get you off to a very good start. For more information on implementing a successful program, download our whitepaper: Achieving HIPAA Compliance: Your Guide to Avoiding HIPAA and HITECH Penalties. 

3 Lessons Learned from Healthcare Security Breaches

While official numbers for 2018 haven’t yet been released, we know roughly 7 million healthcare records were involved in data breaches this past year. The reasons are tangled and varied, but we can find common themes that can help us learn how to prevent future data breaches.
For starters, the two most common causes for reporting a data breach to the U.S. Health and Human Services Office for Civil Rights (OCR) were: 1) deliberate hacking of IT systems and 2) unauthorized access or disclosure of protected health information (PHI). Though equal in number of incidents, deliberate IT hacking stands alone as the tactic with the greatest success, resulting in over 4 million records swiped.
Attackers didn’t show any deference to the well-resourced UnityPoint Health (1.4 million records stolen) or federal agencies, such as when the Centers for Medicare & Medicaid Services (CMS) reported unauthorized exposure to its own PHI in Healthcare.gov. In addition to these deliberate assaults, the largest single fine of 2018 was a $4.3 million expense levied on MD Anderson Cancer Center when the world-renown oncology research hospital was unable to prove that a stolen device was secure and encrypted.
Naturally, you may conclude that these kinds of incidents are bound to happen. After all, healthcare organizations are brimming with high value data that lures the worst cybercriminals armed with impressive tools and tactics. But under a different reckoning, you can see how every one of these breaches could have been halted.
Lesson 1: Visibility Rules
Whether you are monitoring the data flow between cloud clusters or the cyber hygiene of an endpoint population, keeping eyes on glass is the first step to finding your blind spots and seeing where your data resources are exposed. Think about it, how can you secure what you can’t see? Thankfully, IT asset management is stepping up to the plate and transitioning from being a keeper of inventories to a robust intelligence service feeding critical information to other groups and teams, enriching detection and response to uncover vulnerabilities.
Lesson 2: Configurations Count
We can see how an AWS Secure Storage Service (S3) can be calibrated to the exact specification to allow attackers in the door. We also know that such services come equipped with all the controls necessary to stave off the tragedy. So what’s going wrong?
Not only are newer technologies more complex than ever, but with the rise of DevOps and continuous iterations, the services and resources we use are in constant flux. Keeping tabs on the right configurations for the current build and maintaining your own security intent has never been more complicated. But just as we learned in Lesson 1, having an unobstructed view of the attack surface will help to identify where configurations are risky and what steps you can take to restore order. Never has this been more necessary than with endpoint cyber hygiene.

Devices are teeming with PHI and users need unimpeded access to critical information to, save lives. However, ability to lay hands on health data is also a focal point for attackers. When countless records are on endpoints, why go any further to penetrate a well-fortified data center or cloud storehouse when so much is waiting for you on a device? The trend in distributed data creates an incentive-rich environment that requires control over every device with maniacal precision. Orchestrating all those controls demands universal control across the endpoint population and endpoint data discovery to pinpoint where sensitive data is riskiest.
Lesson 3: Crowd Sourced Learning Reigns
Healthcare, in some ways, is in a privileged position. With so many federal guidelines and regulations for reporting, there is an ocean of incidents to learn from. Now that the entire industry is held to standard practices, when those protections are usurped, everyone gets to hear about it. If we aren’t learning from the failures around us — even within our peers and the industry leaders we respect — we will be flanked by a preventable hazard had we taken that knowledge and put it into action.
Take note of the breaches inside and outside of healthcare. Look for common patterns and themes. Crawl your own IT environment and see if similar conditions are ripe for exploit. Being smart is learning from your mistakes, but being wise comes when we also incorporate learning from others’ shortfalls.
To learn more about how to build and implement a sound cybersecurity strategy for your healthcare organization, download the whitepaper Data Breach Prevention for Healthcare: A Best Practices Guide.

Loading

Categories