HIPAA and Cyber Security
Attacking health care digitally has become very common these days with health records being sold at a very high price on the darknet. The amount of information this health care data, also called PHI, holds is invaluable because along with medical history, this data also contains social security numbers, addresses, tax codes, credit card details, National Insurance numbers and so much more. That’s enough for any hacker to not only impersonate you but also to wipe out your bank account and perhaps your existence as well!.
HIPAA news firm Hipaajournal reports that “There has been a general upward trend in the number of records exposed each year, with a massive increase in 2015. 2015 was the worst year in history for breached healthcare records with more than 113.27 million records exposed, stolen, or impermissibly disclosed and was particularly bad due to three massive data breaches at health plans: Anthem Inc, Premera Blue Cross, and Excellus. Cybersecurity firm Protenus, said that healthcare hackings in 2018 were 25% more than those in 2017 and are ever increasing! In the same year, healthcare data breaches of 500 or more records were being reported at a rate of around 1 per day.
Fast forward 4 years and the rate has doubled. In 2021, an average of 1.95 healthcare data breaches of 500 or more records were reported each day.” Hackers attacking healthcare establishments to steal medical data (also known as PHI) usually know that these establishments have lower security measures as compared to corporates and what they have is easy to break into. Experian, the global information services firm confirms that stolen medical data has so much information on the patient (like credit card info, social security, passport and bank details, addresses and more), that it can command a price of upto $5000 on the darknet. Not only that, stolen medical data can also create a huge mess for the patient, with severity going from just credit card theft to identity theft, impersonation and beyond!
So what should be done? Well, just like there are firewalls, anti viruses, internet security suites, adware blockers and so many things coming up for the corporate and the personal internet users, there is HIPAA for medical establishments. HIPAA as you are probably aware, stands for Health Insurance Portability and Accountability Act and is a form of a cyber security standard for organizations in America handling People’s Health Information or PHI. HIPAA has three basic rules – Privacy Rule, Security Rule and Breach Notification Rule.
- The privacy rule entails limitations of data disclosure and to consent required from patients before using their data for any research, product development or improvement.
- The security rule is one of the most important rules and unfortunately is one of the rules that a lot of healthcare businesses overlook. It comprises administrative, technical and physical safeguards and practices that an organization handling PHI should take in order to protect the patient’s data. These practices could include encryptions, password protections, hardware / software locks and restrictions and more.
- Finally the breach notification rule outlines who to inform and what to do if a data leak or a breach has been detected.
For security protocols, HIPAA insists on the following of the National Provider Identifier (NPI) Standard and the Transactions and Code set standard. Both of these talk of the requirement of the NPI number for all individuals accessing medical data and the fact that all healthcare organizations must follow a standardized mechanism for medical data exchange and interchange.
HIPAA has 5 major components or sections:
- Health Insurance Reform that protects and provides health insurance to individuals who lose and / or change jobs
- The Administrative simplification that directs the HHS of USA to establish and implement security standards to process electronic healthcare transactions
- The HIPAA Tax reforms that talk about tax based provisions and guidelines for medical care.
- The application and enforcement of group health plan requirements define health insurance reform, people seeking continued service and / or coverages for pre-existing conditions and diseases.
- The revenue offsets include provisions for employer / company owned insurances and/ coverages for those
Does this mean that HIPAA is the be all and end all of security protocols required by a healthcare establishment? Well, the choice is yours. The safer and more secure a patient’s data is, the higher his trust in your org. Today, in addition to HIPAA compliance, many organizations are also going in for combinations of security measures that include the standard hardware firewalls, network security packages and then a combination of HIPAA compliance with CASB, SWG, ZTNA and more. A trifecta of CASG, SWG and ZTNA creates the Secure Service Edge or SSE, which when combined with HIPAA compliance, creates a very secure framework reducing the chances of PHI leak to almost NIL.
Achieving HIPAA compliance is not easy but an extreme necessity in today’s world. This is where Gate6 comes in. We are well aware of and experienced with, the stringent HIPAA compliance rules under the HHS audit. Our experience speaks for itself, when we help healthcare establishments like yours achieve HIPAA compliance in a breeze by following a well structured and established process of threat detection, prevention, protection and elimination.
The Gate6 HIPAA compliant badge is peace of mind for both, the organization and patient, and a confirmation to the patient that he and his data / medical records are safe and all that needs to be done is to get better and go back home in peace – both physical and mental!
Open the gates to HIPAA compliant healthcare security with Gate6 – The company that knows how to do it the right way. Know more here!