Shield Health Care Group, a Massachusetts-based company detected suspicious network activity on March 28th of 2022. The data breach affected over 2 million individuals revealing their social security numbers, diagnoses, billing information, medical records, and PII like addresses, dates of birth, patient IDs, and more.
HIPAA security compliance is absolutely critical to ensure the safety of data stored by organizations within the healthcare industry. Continued compliance with HIPAA helps avoid such drastic and expensive scenarios that not only affect the organization but hundreds and thousands of individual patients too.
This article will detail all important aspects of HIPAA security compliance, from its requirements to common violations, and lastly, how Astra Security can help you with this endeavor.
What is HIPAA Security Compliance?
Health Insurance Portability and Accountability Act or HIPAA security compliance is an international set of standards and regulations put forth by the U.S. Department of Health and Human Services (HHS).
Also known as the Kennedy- Kassebaum Act, it was signed into law in 1996 by President Bill Clinton. Modernizing the workflow of healthcare information, HIPAA stipulated how PII or Personally Identifiable Information must be maintained by healthcare and healthcare insurance industries, ensuring its protection from fraud and theft.
This law prevents the disclosure of information by covered entities like hospitals, other healthcare providers, and businesses but allows the passage of information to the concerned patients and or their representatives.
HIPAA security compliance comprises five different titles governing over various aspects of data security in the healthcare industry, namely, health insurance coverage for job seekers between jobs and their families, national standards for electronic healthcare data transactions, and guidelines for pre-taxed medical expenditure, group health plans and lastly, governing life insurance policies.
HIPAA Compliance Requirements
1. 3 HIPAA Safeguards
HIPAA’s security rule outlines various safeguards to adhere to for the optimal protection of PHI (Patient Health Information). They include administrative, physical, and technical strategies.
Administrative safeguards are essentially a guide for employees on how to handle PHI safely. These are implemented to train employees through thorough staff training on the safe handling of patient information and to place emergency protection plans for PHI by assigning a privacy official. Lastly to monitor and test the security that is placed to protect the PHI through risk assessments.
This refers to protecting the physical access points to PHI. It also includes setting guidelines of best practices to be followed by employees to prevent the unwanted dissemination or leak of information from their workstations and other portable devices.
This includes installing alarm systems, ID badge access entry, surveillance cameras, and more.
This refers to adding anti-virus, anti-malware, or data encryption for data stored in order to ensure that the information is not accessed without proper authorization, or that it isn’t altered, deleted, or stolen.
2. Risk Assessments
Risk assessments are the process of scanning and or analyzing an organization’s security system to identify vulnerabilities that could cause potential damage to the sensitive data stored by that organization. This can range from confidential patient health information to various results from tests.
HIPAA security compliance requires risk assessments to be done periodically to ensure protection from threats that can result in access and exploitation of personal healthcare information.
Is penetration testing mandatory for HIPAA Security Compliance?
However, it does not mention a specific type of risk assessment to be carried out which leaves the decision of choosing between penetration tests and vulnerability assessments to the organization itself.
Regular HIPAA pentests are the best solution when compared to vulnerability assessments owing to their comprehensiveness. This is because it scans for vulnerabilities and exploits the found vulnerabilities to assess the enormity of a potential hack using that vulnerability.
Penetration testing is applicable under HIPAA’s most important privacy rule as it helps determine the pathways that could be opted by hackers to gain access to protected health information (PHI).
3. Employee Training
All healthcare sector employees must be mandatorily made to attend HIPAA security compliance training as it will help them gain a better understanding of how to securely handle PHI.
It will also clarify the do’s and don’ts, compliant and non-compliant posture revolving around PHI. Such training should be offered periodically to ensure that all employees are updated on the relevant information.
Along with this, such training also gives employees a better understanding of the seriousness of mishandling PHI and violating HIPAA security compliance.
4. Monitor and Update Compliance
In order to maintain compliance and or achieve HIPAA security compliance, continuous monitoring and scanning are a must to identify any new vulnerabilities that pose a threat to an organization’s online security.
The tools opted for HIPAA risk assessments must be fully integrated with the security system in order to provide automated continuous monitoring. It should also ensure that there will not be any false positives which could lead to unnecessary expenditure of resources like manpower, time, and expense.
Common HIPAA Violations
This is a list of the most common HIPAA security compliance violations noted that often lead to non-compliance with the healthcare regulatory standard.
1. Poor Access Control
One of the most violations of HIPAA security compliance is said to be the failure to implement proper access controls. Without proper access controls, unauthorized officials may be allowed access to confidential information pertaining to patients.
With HIPAA security rules, third-party businesses associated with healthcare as well as professional healthcare providers must have rigid and tightened access controls for the better protection of electronic patient health information.
Poor access control can be avoided by implementing MFA or multifactor authentication, continuously scanning the security of devices where data is stored or transmitted as well as using temporary authorization codes.
2. Theft of Devices
Stolen or lost devices are at the crux of most cases of PHI loss. Devices from healthcare industries will often have sensitive information stored which is stolen and can be used to carry out identity thefts, medical insurance fraud, and other cyber crimes.
Commonly lost or stolen devices include mobile phones, USBs, laptops, and tablets. Such cases often arise from a lack of well-established physical security measures such as surveillance and monitoring. Another reason stems from organizations not having strict policies on devices whereby employees like doctors, physicians, and other healthcare practitioners take the gadgets home or to other places from their place of work.
To avoid such instances, employee training on the proper storage of devices as well as physical security must be provided. Additionally along with this, enabling data encryption for information both at rest and in transit can go a long way in protecting data from malicious attackers.
3. Failure of Data Encryption
Healthcare practitioners often ignore or aren’t aware of the dire need to implement data encryption or other data protection measures to secure sensitive patient data. This in turn gives malicious attackers a wealth of opportunities to access this data.
Healthcare institutions need to have defensive security systems in place to protect patient data and this should include several safeguards that block attackers from ever accessing the data even if a breach occurs.
Encryption is not a mandated process by HIPAA security compliance, however, offenses, where breaches occur due to a leak of unencrypted data, is a reportable incident. But the leak of encrypted data is only a reportable accident if the decryption key is stolen along with it.
Despite not being mandatory, it is strongly advised for all healthcare organizations to employ encryption as a method to safeguard their data.
4. Improper Disposal of PHI
Improperly disposing of or discarding medical records might be one of the most overlooked HIPAA breaches. While it rarely occurs, it’s still a serious violation with heavy fines. The New England Dermatology and Laser Center was fined a settlement of $300,640 for improperly disposing of PHI in 2022.
Improper disposal of the Dermatology and Laser Center in England is what led to them being fined over $300,000 in 2022. Improper discarding of medical records and other files is one of the more significant reasons that result in violation of HIPAA.
Albeit the occurrence is rare, it still brings about hefty fines when discovered. Such an issue always occurs when hospital staff or interns throw away physical copies of medical records without destroying the sensitive information contained in them first. Such kinds of data centers would include old laptops, USBs, CDs, hard drives, and even papers!
HIPAA compliance for data security mandates that all hospitals and clinics have a thorough process in place for the disposal of physical and electronically stored medical data. Other mandates include the periodic training of employees in the most hygienic data disposal practices as well as the implementation of comprehensive policies on how to handle PHI.
Regular shredding of paper documents and wiping of portable devices are two of the effective ways by which improper medical data disposal can be avoided.
5. Failure To Conduct Risk Analysis
Not conducting any type of risk analysis or assessment, namely penetration testing or vulnerability assessment can leave your organization open to a number of HIPAA violations. Not only this, but it also severely threatens the security of the medical data that is stored. Carry out testing based on the HIPAA checklist.
It is recommended that risk analysis be conducted every time there is a change or a major update to the security system or after every few months. This is done so that if any new vulnerabilities have developed between the period from when the last analysis to now, they can be detected, identified, and immediately rectified.
Penetration tests are the more comprehensive solution in risk analysis when compared to vulnerability assessments as they are more exploitive in process. This can bode well for security systems as healthcare organizations will get a keen idea of what are the vulnerabilities as well as their impact should be exploited.
HIPAA Security Compliance – Pentesting With Astra Security
These are the list of features provided by Astra that go a step further in ensuring your organization’s HIPAA security compliance.
1. Compliance-Specific Scans
Astra provides compliance-specific scans for HIPAA with its very own dashboard and personalized compliance reports.
Results of the personally chosen scan are displayed in real-time on the dashboard with steps for remediation.
2. Continuous Penetration Testing
Astra is capable of providing continuous pentests to assess an organization’s security posture on a regular basis. Based on the initial scope and the needs of the target organization, Astra deploys its automated scanner or enlists its own pentesting team to find the security flaws of the organization.
3. Comprehensive Vulnerability Scanner
Astra’s automated scanner conducts more than 3000 tests following NIST and OWASP methodologies to find hidden vulnerabilities. It can also carry out scans behind logins, as well as detect any business logic errors.
Vulnerabilities detected are based on known CVEs, OWASP Top 10, and SANs 25 and are constantly updated to find newer vulnerabilities.
4. Penetration Testing Certificate
Astra goes a step further compared to all other pentesting providers by providing the customers with a pentest certificate upon the completion of a successful pentest, followed by resolution of found vulnerabilities, and lastly, a rescan to ensure that there are no new vulnerabilities.
This certificate is publicly verifiable and can be put on one’s website to boost sales and promote a security-conscious approach.
5. Detailed Report
Detailed reports provided by Astra give a detailed account of the scope, engagement rules, and methodologies.
But most importantly, it lists out the vulnerabilities found with a dedicated section for each vulnerability explaining their CVSS scores, and actionable risk values.
Other information found through exploitation, its impact on the security system, and remediation measures to patch it are also mentioned.
6. 24*7 Customer Support
Astra boasts 24*7 customer support through email, chats, and even calls if necessary with the help of the expert pentesters on the team. The dashboard also provides a comment option for each vulnerability for immediate doubt clearance.
What Are The Common Targets Of HIPAA Violations?
The most common information that is targetted during the theft or breach of sensitive data from HIPAA violations are:
- Personal Identifiable Information (PII): This refers to personal details like date of birth, government-issued identification numbers like social security numbers, contact information, and more.
- Health Information: This refers to the personal health information of individuals that is stored in hospitals and other healthcare institutions like pharmaceuticals. It can also include prescriptions and treatment details.
- Financial Details: This includes highly sensitive information such as credit card numbers, account details, investment details, and confidential PINs.
- Legal Data: The confidentiality information and documents that relate to court cases, regulatory rulings, business acquisitions, propriety information like constituents for pharmaceuticals, and more.
With HIPAA security compliance becoming a norm to adhere to, it is no wonder compliance-based pentesting is gaining popularity. One of the best ways to achieve this is by carrying out regular pentesting as a method of risk analysis mandated by HIPAA.
Ensure the health of your organization today by teaming up with Astra for achieving and maintaining your HIPAA security compliance!
1. Is pentesting compulsory for HIPAA compliance?
According to HIPAA, organizations need to do risk analyses regularly to avoid and or identify and rectify any areas of non-compliance. This can be done with either penetration tests or vulnerability assessments.
2. What are three security safeguards placed by HIPAA?
HIPAA has three major safeguards:
1. Administrative which includes risk assessments and staff training.
2. Technical which includes implementing MFA and data encryption.
3. Physical security which includes placing surveillance cameras and more.
3. What is protected by HIPAA’s Privacy rule?
HIPAA’s privacy rule protects all protected health information stored or transmitted through electronic, media, or paper.
4. What is the purpose of HIPAA?
The Health Insurance Portability and Accountability Act is designed to protect people covered by health insurance and also to secure their protected health information from any breaches and or theft.