The 2013 HIPAA changes extended the range and extent of the Health Insurance Portability and Accountability Act and the Health Information Technology for Economic and Clinical Health Act (HITECH). Many of the new HIPAA rules for 2013 account for amendments in working practices and advances in technology since the original legislation was introduced in 1996.
Within the 2013 HIPAA changes, the Security Rule brought in three “safeguards” to protect the integrity of electronically stored and transmitted Protected Health Information (ePHI). These three safeguards were:
- Administrative Safeguards – including factors such as the assigning of an information security officer, business associate agreements, risk assessments, training and the development of proper policies.
- Physical Safeguards – including equipment specifications, controls for devices and media used to hold ePHI (including flash drives), and physical access to servers and other hardware on which ePHI is held.
- Technical Safeguards – including problems such as who can remotely access a database on which ePHI is stored, audit controls, transmission security and how access to and the communication of ePHI is reviewed.
These safeguards are of particular importance to covered entities that have adapted BYOD policies, have storage problems with the requirement to save six years of ePHI, or who provide unfiltered Internet access. In order to adhere with the recent HIPAA changes, covered groups must put in place mechanisms that ensure the end-to-end security of patient data and have processes in place to stop a data breach.
An Updated Definition of Data Breaches
Also included among the new HIPAA rules for 2013 was an updated definition of what constitutes a data breach. A data breach will now be thought of as having occurred when there has been the unauthorized exposure of ePHI unless the healthcare group, health insurance provider, employer or vendor/business associate can demonstrate that there is a low chance that patient data was impacted.
One of the best ways of showing a low probability that patient data was compromised is through encryption. The encryption of data is an “addressable” requirement of the HIPAA Security Rule, meaning that it does not have to be put in place if a covered entity can show it is not necessary, or if a suitable alternative to the requirement is begun.
However, by encrypting all personal identifiers and health-related data any unauthorized exposure of ePHI will be undecipherable, unreadable and unusable – leading to a low probability that patient data was impacted. The encryption of data in databases, on servers, on flash drives or as it moves through a network can also help covered groups avoid OCR fines for failing to comply with the recent HIPAA changes.
Adapting Encryption in Healthcare
The implementation of encryption in healthcare is not complicated. Many covered entities are switching their main method of communication to secure messaging. Secure messaging compliments the BYOD policies that many covered entities have introduced, and eliminates the danger of a data breach – not only through encrypted communications, but also by encapsulating communications within a private network that gives full message accountability.
Secure messaging not only helps to adhere with the recent HIPAA changes, but the mechanisms aimed at provided an audit trail for ePHI also accelerate the communications cycle in many areas of healthcare. Secure messaging has also been proven to foster collaboration and improve productivity – improving the speed of diagnoses, the accuracy with which prescriptions are filled and reducing the volume of adverse events.
Whereas secure messaging settles the problem of encryption in healthcare since the new HIPAA rules for 2013 were introduced, secure email archiving is an appropriate solution for communications sent and received before to the recent HIPAA changes. Covered entities have to keep healthcare data for at least six years, and secure email archiving not only stores them in an encrypted format, but also indexes emails and their content for easy retrieval in the event of discovery or compliance audit.
The Hacking Threat to the Integrity of ePHI
The largest cause of data breaches has been, to date, human mistakes. Employees mislaying USB Flash drives, unencrypted laptops obtained from the back seat of a car and the improper disposal of ePHI have been to blame for many millions of records being exposed. Aware that workers are the weakest link in a covered entity’s cybersecurity defenses, criminals are targeting them through phishing campaigns and malware downloads.
One of the best defenses against cyber threats is using a web filter. With a suitably robust web filter, covered entities can prevent employees being sent to bogus websites that request their login credentials and sites that harbor malware. Web filtering solutions can also be set to prevent the download of certain file types, making it harder for a cybercriminal to break through a covered entity’s cybersecurity defenses.
Web filters also have a productivity-enhancing bonus. With the ability to limit access to any website, administrators can prevent employees from using social media channels, visiting shopping portals or watching live-streamed videos during working days. Limiting access to certain areas of the Internet can also eliminate potential HR issues and create a more user-friendly working environment.