What is HIPAA
HIPAA stands for Health Insurance Portability and Accountability Act. HIPAA provides data privacy and security measures for safeguarding medical information such as biometric data, patient health history, etc. It was signed into law in the year 1996, by President Bill Clinton. The act contains five titles covering:
- Prevention of group health plans from refusing to cover individuals who have pre-existing diseases or conditions, and prohibits them from setting limits for lifetime coverage
- Standardizing the processing of electronic healthcare transactions nation-wide
- Regulation of provisions that are tax-related, as well as general medical guidelines
- Health insurance reforms, including provisions for those who have pre-existing diseases or conditions, and individuals who are seeking continued coverage
- Regulation of provisions associated with company-owned insurance, and treatment of those who lost their citizenship for income tax reasons
In order to comply with the technical aspect of HIPAA, though, every US-based organization keeping any contacts in relation to the Act needs to make sure that has taken appropriate technical measures to safeguard medical data.
Most Considerable Health Data Breaches and Their Causes
Healthcare IT News reports that healthcare continued to be a lucrative target for hackers in 2018 with weaponized ransomware, misconfigured cloud storage buckets and phishing emails dominating the year. Cyber criminals, they say, will likely get more creative despite better awareness among healthcare organizations at the executive level for the funding needed to protect themselves.
Some of the most significant healthcare data breaches in 2018 are as follows:
|Year||Organization||Records Affected||Cause of data breach|
|2018||UnityPoint Health||1.4 million patient records||Phishing emails|
|2018||LifeBridge||500000 patient records||Malware|
|2018||Oklahoma Medicaid||280,000 patient records||Database hacked|
Top Considerable Health Data Breaches| Data Aggregated from Healthcare IT News articles
The table shows that the most common data breach causes are related with poor database protection, or with poor IT-related staff training. Processes and procedures, in other hand, provide clear guidelines on what to steps to follow in order to minimize the risk of information security breach, and how to proceed further in cases of security incidents.
Data integrity is another aspect which is often neglected by organizations. According to high level security experts, “Data Integrity Is the Biggest Threat in Cyberspace”. And whether it’s an external or internal attack, the risk is there, and if you don’t get to know that the integrity of your data is compromised, you may not know there was an attack in the first place.
Putting together all these measures guarantees a proportionate level of data protection. Another aspect, however, is protecting the patient database the way it can’t be easily breached. In order to illustrate the main things every healthcare organization needs to consider we conducted the guide below.
Main HIPAA IT Aspects
In terms of protecting sensitive personal data certain access control measures should be taken by every organization which keeps medical records. It is required to implement appropriate technical policies and procedures, and secure physical and digital access to data. Electronic information systems that maintain electronic protected health information organisations are bound to allow access only to those persons or software programs that have been granted access rights.
The IT implementation of this requirement is related to three important aspects:
- Keeping an unmodifiable audit log for each access to sensitive data per profile – keeping logs of who accessed certain data type and at what time can help us investigate in case of data breach. However, if logs can be deleted or modified by anyone within the organization (even system admin), who also has access to various company assets, can potentially be considered as vulnerability. For this reason we created Sentinel Trails -a blockchain-based secure audit trail which makes data manipulation practically impossible.
- Real-time incident reporting – A real-time reporting allows managers and quality auditors to take full control over data access. They can keep an eye on the access logs and be aware of any types of anomaly behavior – e.g. who accessed sensitive data outside their work hours, who exported big data arrays and is not supposed to, who made changes on the database, etc.
- Fraud Detection – Anomaly activities, though, can be automatically detected and alerts sent to responsible parties based on certain rules set up. Such an alert can be accessing data outside the work hours. This way the person responsible for quality assurance can receive a phone/email notification after the pre-defined alert rule is triggered and investigate the issue in a timely manner
Fraud Detection: Rule-based Alert Setup | Image Source: Sentinel Trails advanced dashboard menu
To implement appropriate IT measures, first prepare an IT implementation plan covering the security measures that have not been implemented yet. To deliver high quality, conduct an annual internal audit to take proper corrective and preventive measures based on the implementation.
The following four IT aspects should be carefully reviewed and implemented in accordance to the needs of the organisation:
|Unique user identification||Emergency access procedure||Automatic logoff||Encryption & decryption|
|Assign a unique ID (name, number, combination of symbols) to identify and track user identity.||Establish procedures for obtaining necessary electronic protected health information during an emergency.||Make sure you have established procedures to terminate sessions after a predetermined time of device inactivity.||Encrypt and decrypt any protected health information (PHI).|
Make sure the database you store PHI is also encrypted and the data transfer- secure
HIPAA Audit Control and Audit Log Requirements
Once implemented, any PHI-related software, hardware and procedures should be carefully audited on a regular basis.
Audits ensure that the organisation is continually engaged with the protection of sensitive data, and demonstrates its responsibility to improve it. The audit control is important to demonstrate compliance with the HIPAA. But at the same time it is vital to ensure compliance with other data privacy-related regulations such as GDPR.
Audit logs can ensure a smooth audit process and minimum staff involvement. Audit logs provide useful and at the same time irreplaceable information about following everyday processes, and help the auditors to get a better overview on the security measures taken, such as access granted.
Data integrity is a key for HIPAA compliance. Implementation of policies and procedures that protect electronic PHI from improper alteration or destruction can prevent various data breaches. Implementation of electronic mechanisms to corroborate that electronic PHI has not been altered or destroyed in an unauthorized manner is also a must-have. Best case scenario is developing an all-in-one overview where auditors and operations managers can review and quality check if only authorized persons can access sensitive data.
Person or entity authentication
Implement procedures to verify that a person or entity seeking access to electronic PHI is authorized to receive it.
Make sure all the procedures and processes you implement are in line with your organisation policies. Also make sure that they are being audited on a regular basis.
Best practices for person/entity authentication guidelines include:
- Keeping an unmodifiable, time-stamped audit log in relation to each incoming PHI request
- Keeping an unmodifiable, time-stamped audit log in relation to who processed it
- Keeping an unmodifiable, time-stamped audit log that the request has been verified before processed
Data transmission is a potential information security gap. Transmitted data can easily become a target so keeping it secure is a priority for each organisation, especially for those keeping ePHI.
Certain integrity controls and encryption measures can reduce the data breach risk to minimum:
|Implement security measures to ensure that electronically transmitted PHI is not misused without detection until its disposal.||Implement a mechanism to encrypt electronic PHI whenever deemed appropriate.|
|Make sure you have set up certain event log alerts for tracking misuse.||Audit all your records where you store PHI and plan how to minimize it and keep it encrypted.|
How Can LogSentinel Secure Your Medical Data
LogSentinel’s business focus is keeping sensitive data safe, and making it easier to investigate who is responsible for a data breach event. We previously reviewed the most common practices to prevent various types of data breaches. But not every organisation has the capabilities to do this alone. That’s why we developed a 360-degree, compliance-as-a-service solution, helping small and medium organisations to solve their information security issues seamlessly.
Protection of PII and health records
We offer a ‘Privacy by Design‘ secure database. We encrypt every record individually, using a secure key hierarchy making data breach events practically impossible. Therefore SentinelDB can be considered as a HIPAA compliant database
Keeping unmodifiable logs of activity
Most of the data breach attempts are initiated by insiders.
Very often insiders manage to cover their traces making it impossible to track back who has breached the data.
With SentinelTrails, your activity logs will be kept safe on blockchain, so that no one would be able to access your data without any evidence.
This feature fully covers the HIPAA audit log requirements.
Fraud and anomaly activity detection
Thanks to the advanced technology used for developing SentinelTrails, you can receive real-time notification if anomal activity is detected – e.g. access to PII outside of work hours
Real-time alerts can help prevent highly sensitive data breach and save company reputation.
Take control over the sensitive data you own.
The real-time analytics gives you an overview on the activity during the period you’ve chosen to observe.
Easy Integration. Zero maintenance.
Minimum efforts are required from your side.
Our expert team will adapt our services to the exceptional requirements of your organization, so that you can focus on what’s actually important – saving lives.
If you would like to explore more about the information security solutions, contact us today.
Denitsa Stefanova is a Senior IT Business Analyst with solid experience in Marketing and Data Analytics. She is involved in IT projects related to marketing and data analytics software improvements, as well as the development of effective methods for fraud and data breach prevention. Denitsa supports her IT-related experience by applying her skills into her everyday duties, including IT and quality auditing, detecting IT vulnerabilities, and GDPR-related gaps.