March 16, 2017 By Scott Koegler 3 min read

The American Recovery and Reinvestment Act (ARRA) mandated that health care organizations comply with the Health Insurance Portability and Accountability Act (HIPAA) and implement electronic records systems by 2015. That date has passed, and now all complying health care organizations are storing their patients’ records electronically.

Five Ways to Comply With HIPAA Regulations

This digital storage simplifies access, updates, reporting and use by physicians and their patients, but it also brings with it the same threats to data that financial organizations have faced for years. In fact, stolen health credentials are worth roughly $10 each, which is 10 to 20 times more valuable than credit card information. Health care providers need to address these issues to safeguard their patient records and comply with HIPAA regulations.

1. Admin Controls and Employee Training

Health care organizations should act like high-tech financial institutions to assure compliance with government regulations and the proper handling of patient records. It’s no longer acceptable to have a few casual rules about access to records and filing cabinets. Offices need to have updated policies on hand and available to their employees.

Employees must be personally guided through security measures, office procedures and privacy rules, complete with sign offs at critical stages. Even before training, every employee should pass a background check to establish trust.

2. Physical Access

Locked file cabinets don’t protect electronic health record (EHR) data. Offices must establish systems that are inaccessible to unauthorized individuals and verify the identity of all system users.

A list of users authorized to access the health records systems must be maintained. It should include methods to create and update secure passwords as well. Since the data is stored on computers, the office must have disaster recovery plans that are tested to be functional and reliable.

3. Audit User Access

Workstations need to be secured by passwords and automatically log users out of sessions when there is no activity for a specified period. External access to other networks and the internet must be locked so patient data can’t be transmitted outside the confines of the office and hacking tools can’t find their way into the system. Additionally, workstations should have their own individual functions and access rights that limit users to the type of work and access defined for that workstation, regardless of the user’s access rights.

4. Media Controls

Protecting data that resides in the EHR system is important, but controlling how and if that data moves outside the office is an issue that deserves more consideration than might initially be imagined. While health records are maintained in central data storage or even cloud-based systems, that data is also transmitted to local devices as it is used. So when disposing of equipment such as workstations and printers, it’s important to digitally scrub them before selling, donating or otherwise removing them from service.

Today’s printers store the documents sent to them for printing on internal hard drives. Health care records sent to the printer can remain in the printer’s storage and be extracted by an enterprising data thief. Workstations, printers and many other devices also store network authentication credentials that can be leveraged to gain access to office networks. Establish effective procedures to examine and clean data from equipment as part of your replacement cycle.

5. Data Encryption

All EHR data should be encrypted. While this seems an obvious step, many data theft events have been successful because user credentials were not encrypted, allowing intruders to log in to systems, freely view the data and extract what they wanted. The issue is that validated users have access to encrypted data because they are authorized to access it in its unencrypted form.

To be effectively protected, health care data must be encrypted and segmented so that authorized users are only able to access data specific to their needs. That can prevent full-scale data theft. The first line of defense, however, must be the encryption of user credentials so that thieves are not able to masquerade as valid users.

Locate Your Liabilities

Security intelligence solutions can be effective in preventing or limiting data theft and protecting patient records from being accessed by unauthorized parties. Health care providers need to understand where their liabilities are and take measures to secure all possible points of intrusion.

Read the IBM X-Force Research Report: Security Trends in the Health Care Industry

More from Healthcare

Cost of a data breach 2023: Healthcare industry impacts

3 min read - Data breaches are becoming more costly across all industries, with healthcare in the lead. The 2023 Cost of a Data Breach Report analyzes data collected from March 2022 to March 2023. Healthcare remains a top target for online criminal groups. These data breach costs are the highest of any industry and have increased for the 13th consecutive year. Healthcare is a highly regulated industry that the U.S. government considers critical infrastructure. As such, recent federal privacy standards, security standards and…

Cyberattackers target the Latin American health care sector

3 min read - Cyberattacks on the healthcare sector are a growing threat in Latin America, and the large amount of confidential data these organizations handle makes these attacks a top concern. The value of healthcare data in the illegal market, such as the personal, medical and financial information of patients and healthcare companies, creates an appealing target for threat actors. This can have serious consequences for the privacy and information security of these organizations. Cyberattacks could lead to reputational risks, interruption of operations,…

Increasingly sophisticated cyberattacks target healthcare

4 min read - It’s rare to see 100% agreement on a survey. But Porter Research found consensus from business leaders across the provider, payer and pharmaceutical/life sciences industries. Every single person agreed that “growing hacker sophistication” is the primary driver behind the increase in ransomware attacks. In response to the findings, the American Hospital Association told Porter Research, “Not only are cyber criminals more organized than they were in the past, but they are often more skilled and sophisticated.” Although not unanimous, the…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today