Implementing a HIPAA Compliant Security Program

Over the past couple years there has been a dramatic increase in security related attacks on all businesses’. At the core of these attacks is a desire by the attackers to acquire valuable data that can be used for illicit monetary gain.

Few industries manage as valuable a data as the health care discipline. As a result, this industry has been and will continue to be directly impacted by information security considerations in a number of ways.

First, as mentioned above there is a lot of valuable data that makes health care organizations a high gain target for attack. In most situations not only is there personally identifiable health information that is present, but this information is also generally associated with other high-value information such as social security numbers and/or credit card information.

It is for this reason that the value of a valid healthcare record is worth up to $50 on the black market versus $1 for compromised credit card information.

Second, there is a drive to enhance and innovate healthcare technology, but much of the core infrastructure in hospitals and legacy healthcare institutions is highly antiquated. This has created a situation where there is a lot of highly valuable data available that can be compromised with limited effort on behalf of attackers.

Related Resource: Top 3 Best Practices to Keep Your Healthcare HIPAA Compliant – White Paper

This has created a situation where there is a lot of highly valuable data available that can be compromised with limited effort on behalf of attackers.

We are seeing this situation play out with the dramatic increases in attacks over the last couple of years in healthcare.

For example, the Community Health System breach in 2014 led to the compromise of 4.5 million records and was then followed up by the largest healthcare breach to date in 2015 by Anthem where 80 million records were stolen.

The number of US businesses affected and the sheer magnitude of these attacks did not go unnoticed by regulatory agencies across all industries. They answered this realization with increased security requirements and penalties for non-compliance at any organization that manages, stores, or processes sensitive information.

Office of Civil Rights Continues to Increase & Update HIPAA Security Requirements

Specific to healthcare organizations, the Office of Civil Rights has continued to increase and update security requirements with the HIPAA Security Rule.

The most recent of which, released in the HIPAA Omnibus updates in late 2014, has dramatically increased penalties, as well as definitions of expected capabilities and expanded accountabilities for anyone that manages security information.

These events which are now putting significant pressure on HIPAA Business Associates to comply and build standard practice information security efforts at their organization.

Specific to HIPAA business associates, which are defined as organizations that access, manage or store personally identifiable healthcare information on behalf of covered entities, such as hospitals or insurance providers, this situation has created a dramatic need to increase information security efforts at these often smaller organizations.

As the increased HIPAA security requirements were released, this made business associates accountable in situations as well for breaches they cause, better defined that these organizations require full security programs, and also put more pressure on covered entities to perform more exhaustive security reviews and due diligence efforts on these organizations prior to doing business with them.

In today’s security landscape, implementing an effective security program that actually works and is compliant with HIPAA requirements means far more investment in high demand security talent, technique, and technology than simply trying to hire a security guy or gal to help out.

Many HIPAA business associates are much smaller than the clients that they serve, creating situations where these organizations are either unaware or unable to properly allocate appropriate operational security budgets to meet these requirements.

To compete and succeed, this has required these organizations to make security efforts a strategic priority in their businesses.