Keeping HIPAA Compliant Data Secure

Data compliance to the Health Insurance Portability and Accountability Act (HIPAA) is often confused with data security. HIPAA compliance, however, is just the first step in keeping healthcare data secure across multiple networks and in the cloud.

Keeping healthcare data HIPAA compliant ensures that patient information remains private, assuming that the network the data is stored on is secure against unwelcome eyes. But if hackers gain access to an unsecured system they can read, modify, or even sell private patient information. Hackers can also set up ransomware attacks that can render patient records unusable (despite the fact that they are HIPAA compliant) until the facility pays the ransom.

Medical businesses such as hospitals, private practices, and various other types of health clinics should have someone on staff who understands the need for patient data to be HIPAA compliant and secure at the same time. A manager or administrator with a master’s in health administration can be an invaluable addition to any healthcare office.

De-Identification

For a long time, healthcare data was simply retained on a local network for record-keeping purposes. Unfortunately for data security, Big Data is providing valuable ways to turn all of that stored data into valuable insights that stand to affect the entire healthcare industry in a valuable way.

The healthcare industry, however, has been one of the last large industries to jump on the data analytics bandwagon, and the reason for the delay stems from a fear of potential HIPAA breaches. To alleviate those concerns, cyber security personnel and HIPAA legal experts have introduced the process of de-identifying sensitive patient data.

“Regulations like HIPAA require that data custodians provide for a process to limit the ability to identify a Data Subject from a clinical dataset,” explains biotech expert Sujay Jadhav in his article, “Is HIPAA A Barrier To Big Data In Biomedical Research?” on LinkedIn.com. “Only when clinical data is de-identified according to this process, it may be disclosed to a third party or presumably used in a Big Data analytics workflow.”

The de-identification process typically involves removing any and all information from medical data that could potentially be used to identify the patient. Identifying data can include names, addresses and geographical data, phone numbers, email addresses, Social Security numbers, account numbers, vehicle identification information, biometric identifiers, and anything else that keeps the data from being truly anonymous.

Unfortunately, hackers still occasionally find ways to re-identify patients through a process of elimination by combining two or more sets of data, or simply by breaking into a system where the data has not yet been de-identified. Genetic sequencing information is also required to be de-identified, but a person’s genetic sequence is unique to him or her, so complete de-identification is impossible.

“Rapid growth in the volume of health-related information increases the risk of privacy violations, particularly when data sets are combined,” claims the Arnall Golden Gregory LLP law firm in its “Big Data Analytics Under HIPAA” blog post in 2016. “Data anonymization tools such as de-identification are useful, but cannot eliminate risks to re-identification.”

Securing Healthcare Data

The primary focus of HIPAA enters on documentation of medical information, clinical test results, and procedures for keeping sensitive patient information private, both on paper and in spoken conversation. Data security, as an industry, is concerned with keeping all types of data, including HIPAA data, secure from unauthorized access across connected networks.

Several security standards of control are covered by the HIPAA Security Series’ “Security Standards: Technical Safeguards.” These standards include:

• Access Control – Safeguarding data by restricting user rights and privileges to files, databases, applications, and networks.
• Audit Control – Recording information system activity via hardware or software for purposes of discovering inappropriate or risky activity.
• Integrity Control – Implementing policies and procedures designed to protect electronic protected health information against tampering.
• Person of Entity Authentication – Verifying the identity of a user who is attempting to access protected health information.
• Transmission security – Ensuring that access to sensitive data transmitted over a network is limited only to authorized access.

“Common technical safeguard options can include, but are not limited to, the following: anti-virus software, multi-factor or two-factor authentication, data encryption, de-identification of data, firewalls, mobile device management (MDM), and remote wipe capability,” says HIPAA authority Elizabeth Snell in her article, “Implementing HIPAA Technical Safeguards For Data Security” on HealthITSecurity.com. “While no healthcare organization can guarantee that a data breach or security incident will never happen, utilizing the necessary safeguards can help prevent them from occurring.”

Perhaps the most important part of a solid cyber security policy in a healthcare organization is the training of employees. A security-conscious health administrator will implement ongoing security training for employees to ensure that the IT department’s security measures aren’t compromised by employee error.

The basic elements to a good cyber security training program for a healthcare organization are covered by medical data security expert Amit Kulkarni’s HealthITOutcomes.com article, “Why HIPAA Compliance Does Not Equal Data Security.” Kulkarni’s suggested training topics include:

• Creating strong passwords and changing them regularly.
• Securing users’ login credentials.
• Keeping login credentials secret; known only by the user.
• Logging into systems only from secured networks and devices.
• Seeking authorization to remove any type of hardware (laptops, tablets and the like) from the medical facility.
• Opening files and emails only from known sources (unknown sources can give hackers access).
• Transmitting sensitive data only over secure networks.
• Spotting attempts at unauthorized access, such as phishing emails.

These areas are the most frequently abused in healthcare organizations. Employees who are not very tech-savvy will use simple passwords (wife’s birthday, dog’s name and birth year) and write them on a sticky note, log into their account from a public WiFi hotspot, lose their phone with sensitive login credentials on it, and open emails from unknown sources. The less often such mistakes take place, the better cyber security measures will work, and constant, repetitive training can help to achieve this goal.

Maryville University’s Master of Health Administration

Maryville University’s online MHA program helps prepare students for careers in healthcare management where they will fall under HIPAA confidentiality laws and privacy rules. Maryville’s program offers four concentrations – Data Management, Healthcare Strategies, Population Management, and Senior Services – as well as a General MHA. Contact Maryville University to learn more.

Sources:

• Is HIPAA A Barrier To Big Data In Biomedical Research? – https://www.linkedin.com/pulse/hipaa-barrier-big-data-biomedical-research-sujay-jadhav

• Big Data Analytics Under HIPAA – http://www.agg.com/Big-Data-Analytics-Under-HIPAA-03-17-2016/

• Security Standards: Technical Safeguards – https://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/administrative/securityrule/techsafeguards.pdf

• Implementing HIPAA Technical Safeguards For Data Security – https://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/administrative/securityrule/techsafeguards.pdf

• Why HIPAA Compliance Does Not Equal Data Security – https://www.healthitoutcomes.com/doc/why-hipaa-compliance-does-not-equal-data-security-0001