HIPAA Compliance Checklist: Cybersecurity in the Healthcare and Pharma sectors

Praveen Yeleswarapu
July 20, 2021

On September 14, 2020, the U.S. Department of Veterans Affairs (VA)’s Office of Management announced a data breach of around 46,000 veterans’ personal information. Unauthorized users had somehow gained access to one of the online applications of the VA’s Financial Services Center, which they manipulated to divert payments from the VA after changing financial information. The hackers tried to reroute the payments going to community healthcare providers for the veterans’ medical treatments.

In October 2020, a cyberattack crippled 5000 network computers that were a part of the UVM Health Network’s IT system. The system outage lasted over 40 days, leading to the postponement of services and around 300 workers being benched or reassigned as they could not perform their jobs. The health system is losing about $1.5 million every day in revenue and expenses and expects that the entire incident will cost them over $63 million till it is resolved. The projected timeline for resolution is sometime in 2021.

The richness of data to be found in healthcare systems make it a prime target for cyberattacks. Cybercriminals bank upon its potential to tie up systems and data in order to fully disrupt everyday operations. Pharma companies are also tempting targets, given the value they are providing during the ongoing COVID-19 pandemic, with medicines and vaccines. And given that a large number of employees across these important sectors are currently working from home, any gaps in companies’ cybersecurity stand to be fully exploited.

The Role of HIPAA, and How Compliance Works

With regards to healthcare, in particular, all data operations must be designed to be compatible with Title II of the Health Insurance Portability and Accountability Act (HIPAA)

Title II of HIPAA is mainly concerned with the secure storage, processing, transfer, and access to electronically protected health information (ePHI) and other electronic health care transactions. The challenges are many, as there were no smart devices in 1996 when HIPAA was established. But in this day and age, the medical Internet of Things makes it possible to access ePHI from smart devices, perform video consultations, and share biometric data from wearable devices with insurers and medical care providers.

For easier HIPAA compliance across the electronic medical data sector, technical and administrative safeguards should be built around these pillars of Title II-

1.  National Provider Identifier

2.  Transactions and Code Sets

3.  Standards for Privacy of Individually Identifiable Health Information

4.  Security Standards for the Protection of Electronic Protected Health Information

5.  HIPAA Enforcement Rule

Healthcare organizations face a hefty penalty of $50,000 for a Title II violation.

How do cyberattacks happen?

Recent data indicates that a cyberattack takes place every 39 seconds. In 95% of the cases, the breach occurs due to human error.

  • Some of the main tools in a cybercriminal’s arsenal include sophisticated malware, including ransomware, to hold an organization’s data hostage.
  • Phishing and baiting of employees with an authentic-looking email with a clickable link that when clicked, downloads the malware, is a common mode of gaining access to the system. Often phishing emails trick the recipient into entering personal information, rendering them vulnerable.
  • Malware downloads from a portable storage device that can be brought in by an accomplice or intruder, or left around for an unsuspecting employee to plug into a hard drive. Once this is done, the malicious program enters the system.

How you can prevent a cyberattack

  • Formally training all employees about basic cybersecurity hygiene measures and cyber safety as regards ePHI, and documenting the sessions is of absolute importance.
  • Keep your code safe. Your software lifecycle development practices must be kept secure and watertight.
  • Limit security access to the least number of users or restrict data access as per the employee’s role and duties. Third-party access (vendors, for instance) to ePHI should never be allowed.
  • Institute multi-layered security access controls. To be HIPAA compliant, all users must be given a unique username and password, and organizations have to establish protocols that govern ePHI access.
  • Continually scan for any vulnerability that cybercriminals can exploit
  • Input fields on websites or apps are a vulnerable entry point: perform input validation and sanitization to keep input safe.
  • Activity audit controls ensure that all attempts to access ePHI are logged and any data-related activity gets recorded. After a certain period of inactivity has elapsed, the system should automatically log out the user.
  • An authentication step requires electronic controls to ensure that health information has not been illicitly altered or destroyed.
  • Firewalls and intrusion detection systems will give you the power of rapid response or instant blocking if under attack.
  • Encryption and decryption are a must: Messages sent beyond internal firewalls must be encrypted according to NIST standards. They must be decrypted at the other end when the message is received.
  • Now that a multitude of mobile devices has come into play, there must be protocols or mobile device management tools to clear out ePHI from any lost or stolen devices.
  • A formal contingency plan must be in place to facilitate uptime for critical processes to ensure maximum protection for ePHI during an event. The plan and any backups must be tested for efficacy.

Practical cybersecurity measures for a healthcare-related organization to take

  • Web Application Software protects the website and helps identify the attacks
  • Don’t skimp on Internet Security: get the full suite with smart anti-virus, heuristic file analysis, sandboxing techniques, and default-deny protection.
  • Never share links to online meetings, classrooms, or conferences on public platforms, including open social media profiles.
  • Never share usernames and passwords, social security numbers, birth dates, security answers, financial information, or any personal details when solicited over the phone or email.
  • Have a data breach security protocol already in place, along with training programs for your staff on how to avoid a data breach, and what to do should they discover that one has occurred.

Achieving HIPAA compliance may necessitate a Security Operations Center staffed with dedicated security engineers, or a highly sophisticated agentless Cybersecurity solution like BluSapphire Elite. This helps ensure HIPAA-compliant baseline security configurations as well as ongoing, expert surveillance of your network for noncompliant or suspicious behavior.