The United States Health Insurance Portability and Accountability Act of 1996, or HIPAA, was enacted to safeguard Protected Health Information (PHI) by mandating procedures and controls to assure the public that critical and private information is controlled from loss of confidentiality, integrity or availability. With few exceptions, an organization is subject to HIPAA if it exchanges data related to the health care profession.
Both HIPAA and the regulatory environment have evolved since 1996. In 2009, the Health Information Technology for Economic and Clinical Health Act (HITECH Act) was signed into law as part of American Recovery and Reinvestment Act (ARRA). This law includes new rules that affect the health care industry and those entities that might handle, process or maintain personal health information. The new rules revolve around two primary areas:
- The mandated adoption of new electronic health record systems (and standards, controls and protections around that adoption)
- The expansion of breach notification rules concerning personal health records
In 2013, the HIPAA Omnibus rule, in a health information technology (HIT) context, was enacted to modify the HIPAA Privacy, Security and Enforcement Rules to implement statutory amendments under the HITECH Act. The HIPAA Omnibus rule has extensive changes to strengthen the security and privacy of PHI, such as extending liability to business associates and increasing penalties with a maximum penalty of $1.5 million per violation. HIPAA and HITECH are separate and unrelated laws, though they do strengthen each other in certain ways. For example, HITECH stipulates that technologies and technology standards created under HITECH do not compromise HIPAA privacy and security laws.
Organizations subject to HIPAA, known as Covered Entities (CE), include:
- Health care providers—doctors, hospitals, etc.,
- Health care insurance and health plan clearing houses,
- Businesses that self-insure; and
- Businesses that sponsor a group health plan and provide assistance to their employees on medical coverage (such as flexible spending accounts)
US Department of Human and Health Services (HHS) is becoming more aggressive with the violations and fines. In the first half 2016 alone, HHS recorded close to $15 million in settlement payments. Healthcare cyber attacks are also on the rise and appear to be shifting their tactics. Healthcare care records are still being stolen and resold on the black market, but the price is dropping, pivoting some of the monetization to ransomware attacks. The HIPAA Security Rule requires implementation of security measures that can help prevent the introduction of malware, including ransomware. HIPAA is intended to mandate security processes to evade these cyber attacks. Keep in mind, experiencing a cyber attack is not just a compliance concern—it’s a healthcare business concern of loss of service and business.
Your HIPAA Compliance
Meeting the requirements of HIPAA requires most businesses to set up strong processes, methods and controls to assure auditors that the security and integrity of PHI is assured. The specific technical rules are fairly prescriptive, and systems that are in scope for HIPAA should meet both the Act’s intention and the implementation instructions as put forth in each section. Below, we illustrate how Tripwire products help address secure processes as dictated by HIPAA Section 164. Additionally, we can show not only how to reach compliance, but maintain it over the long term.
And why is continuous compliance important? Even if an organization is compliant today, unforeseen change is very likely. Most organizations have IT systems that must be updated, modified and maintained to keep running smoothly, which introduces high likelihood that it will drift out of compliance with HIPAA rules.
Tripwire has observed that most organizations need both a compliance monitoring system and a change control process that assures only authorized change is introduced to the systems in scope. To demonstrate system integrity one must show a not only a process, but evidence (reports and logs) that assures only authorized change occurs.
Healthcare industry observers see increases in healthcare cyber attacks. Security issues with highly connected electronic health records (EHR) systems and the advent of web-based health record repositories are likely to push new and enhanced rules for electronic PHI (ePHI) and expanded definitions of who is a CE. Are you ready?
Tripwire Solutions And HIPAA
Tripwire solutions offer highly automated foundational controls to meet the security requirements of HIPAA (Section 164), reducing time spent fighting fires caused by poor network and data security practices, and enhancing the data security of ePHI. Tripwire’s real time and continuous foundational controls (which include security configuration management, vulnerability management and log management) assure you do not drift from compliance, and are consistently compliant.
Core to the Tripwire solution for HIPAA is high integrity systems management, a policy-based solution that allows you to programmatically analyze critical changes and settings to determine if they are authorized and compliant. Because integrity monitoring is being performed as change occurs, you can actually achieve a continuous state of compliance. Tripwire has a solid track record with many compliance standards (CIS, ISO 27001, PCI, FISMA/NIST, NERC CIP, SOX, COBIT, DISA) as well as HIPAA, and offers over 150 policy templates and audit-ready reports to support these standards.
We also recognize that many healthcare organizations are aligning to National Institute of Standards (NIST) guidelines and framework as well for a security strategy with over 47% healthcare organizations adopting NIST.3 We encourage you to read our Achieving FISMA brief and other NIST-related briefs.