Secure Access Management and HIPAA Compliance
In just 2020 alone, there were 429 healthcare hacking incidents reported to the HHS Office of Civil Rights, and 143 incidents of unauthorized access or disclosure incidents. Those data breaches resulted in the exposure of a little under 1 million private patient records. There are not only serious real world implications for those breaches but hefty HIPAA fines for every single one.
The Cost of a Hack
Patient privacy, and protecting patient files, is more important than ever. Cyberattacks are on the rise, and the bounty for patient files is increasing alongside them. According to a Trustwave report, a healthcare data record may be valued at up to $250 per record on the black market, compared to $5.40 for the next highest value record (a payment card). Because of the desirability of the data and the lure of monetary gain, it is important that this security threat is not underestimated by healthcare industry IT professionals.
The financial gains an outside hacker or an insider threat can make with private patient data are only outmatched by how much it costs a hospital or healthcare system. The Ponemon Institute found that the costs associated with remediating a breach are estimated at $740,000, and if a third party causes a data breach, the cost of the attack increases by more than $370,000.
Those numbers don’t add up to anything good, especially once the real world costs are taken into consideration. Just recently:
- Eskenazi Healthcare in Indianapolis had to turn ambulances away while security teams resolved a ransomware attack.
- Memorial Health System, which owns 64 hospitals in its network, had to cancel surgeries and radiology treatments in its West Virginia and Ohio locations due to ransomware that shut off IT access to healthcare systems.
- Sanford Health in Sioux Falls, South Dakota diverted ambulances to other hospitals while teams recovered the systems hit by a ransomware hack.
- Just in 2021, 38 cyberattacks have caused disruption of services to 963 healthcare locations.
The impact ransomware has on healthcare institutions could not only cost hospitals money and resources, but also human lives.
HIPAA and Hacks
HIPAA has two types of rules to protect patient information that must be followed: the Privacy Rule, and the Security Rule. The Privacy Rule protects what is known as personally identifiable information, or PII, and who may have access to it, while the Security Rule protects all personal health information (PHI) a covered entity creates, receives, maintains, or transmits in electronic form, known as ePHI, and ensures that only authorized users have access to that information. The biggest difference is the Privacy Rule also protects written or oral communication of PII, while the Security Rule does not. The electronic systems within your healthcare organization hold the most valuable information, so compliance with the Security Rule is key to making sure your patient data is protected.
If one of these rules is broken, the cost can be astronomical. The average HIPAA violation fine, at least in 2019, was $1.2 million. So following HIPAA guidelines is a good idea, for a multitude of reasons.
HIPAA also has a rule that can actually lead to more trouble than healthcare systems realize. Under HIPAA, healthcare providers — also referred to as “covered entities” — can share protected health care information with vendors and business associates. Business associates can be anything from claims processors, bill collectors, accounting firms, consultants, attorneys, claims clearinghouses, and medical transcriptionists. While third parties can offer more operation-critical services, they do require remote access to your network and sensitive data, which, of course, makes them a huge threat to healthcare organizations. It’s a big, unknown variable in the middle of a healthcare system’s network, and it can cause trouble for both security and HIPAA compliance.
The big question is how to protect this data, stay compliant, and avoid the many ramifications (cost, reputational damage, downtime) of a hack. The answer is multi-faceted, but a strong place for any healthcare provider to start is with privileged access management.
What Is Privileged Access Management?
Privileged access management is, simply, the management of who can access what, especially when it comes to sensitive, regulated information like patient data. It makes no sense that a secretary in the hospital's finance department would have access to patient files from the emergency department, so privileged access management is making sure that a secretary doesn’t and that the ER doctor does. While theoretically this can be done manually, PAM software is one of the fastest-growing sectors of cybersecurity.
PAM tools and software typically provide the following features:
- Multi-factor authentication (MFA) for administrators.
- An access manager that stores permissions and privileged user information.
- A password vault that stores secured, privileged passwords.
- Discovery of administrative accounts.
- Session tracking once privileged access is granted.
- Dynamic authorization abilities. For example, only granting access for specific periods of time.
- Automated provisioning and de-provisioning to reduce insider threats.
- Granular and centralized audit logging tools that help organizations meet compliance.
There is also VPAM (vendor privileged access management) software, a subset of PAM software, which works with vendors, contractors, or other kinds of third parties (which healthcare providers frequently work with) to ensure security in that access point as well. VPAM software provides three areas of value:
- Identification and authorization
- Access control
- Recording and Auditing
According to a recent IBM report, 74% of data breaches involved a privileged account, so protecting these accounts and who can access them is critical to any cybersecurity strategy.
PAM Solutions Keep Healthcare Systems Compliant
Not only does employing a PAM or VPAM solution protect a healthcare organization’s system from a catastrophic and expensive hack, but it also helps with HIPAA compliance.
The HIPAA Security Rule includes:
- Ensure the confidentiality, integrity, and availability of all e-PHI they create, receive, maintain or transmit;
- Identify and protect against reasonably anticipated threats to the security or integrity of the information;
- Protect against reasonably anticipated, impermissible uses or disclosures; and
- Ensure compliance by their workforce.
As noted above, PAM software achieves all of that, and then some. In addition, VPAM software can help audit access controls, so there is proper recording and file keeping of who has access to what. While the software is the best solution because it’s automated and removes burdens from various departments while ensuring crucial HIPAA compliance, two policies must be implemented, with or without PAM software.
- Internal access rights need to be audited frequently to make sure the staff members accessing patient records are permitted to access them. If there are any suspicious access attempts, this needs to be flagged, reported, and investigated.
- Zero Trust principles must be deployed; this means all external access attempts need to be authenticated and verified before access is granted to the individual. And if hospitals can use third parties who already have HIPAA-compliant remote access methods in place, even better — one less access point they have to worry about.
The good news is that solutions exist and that it’s easy to learn from the past. Even though the signs are troubling, help is nearby in the form of employing better, more effective cybersecurity practices. From understanding and educating departments on Zero Trust principles to implementing a PAM or VPAM software, achieving HIPAA compliance and staying safe will save money, time, and patients’ privacy.