Securing HIPAA – Interoperability versus Data Protection
by James Lui
Posted on November 17, 2022
by James Lui
Posted on November 17, 2022
Today’s patients, at least the adults who remember earlier times, may grumble that healthcare professionals spend at least as much time working on their computers during an office visit or a hospital consultation as they spend interacting with the human before them. They may be looking up information, documenting findings, noting follow-ups, writing prescriptions, and electronically managing their patients’ care. Over the past decade, Electronic Medical Records (EMR) have taken over, assisted in the US by $27 billion in federal spending that was authorized in 2009 to encourage hospitals and health care providers to adopt EMR.
As the healthcare organizations that have implemented it have discovered, the shift to EMR is (mostly) a win for all stakeholders. Doctors can easily access patients’ latest test results. Notes from previous visits are at their fingertips. Prescriptions, referrals, and orders for tests can all be taken care of with just a few keystrokes. Checklists can help ensure that important questions are asked, and that patients’ responses are heard. Patients get orderly, legible printouts of physician recommendations, prescriptions, and referrals. For system administrators and IT, centralized systems simplify monitoring, management and updating tasks.
EMR is particularly helpful when it enables the diverse medical and paramedical specialists who care for a patient to access their complete medical records. Many patients have trouble remembering which medications they take, and at what doses. As a result, a specialist may unwittingly prescribe medication that is contraindicated due to undesired interactions, or which exacerbates a medical condition that the patient has forgotten to mention. EMR helps prevent this problem by providing specialists with information about each patient’s all-around medical condition, and in some cases, even checking for and flagging potential issues with a medication being prescribed.
To achieve the full benefits of EMR, this type of interoperability – the ability of healthcare providers to access and share clinical patient information both within and across healthcare systems – is a must. Yet interoperability can also pose a direct threat to another value that is vitally important for healthcare: data privacy and security.
The US Healthcare Insurance Portability and Accounting Act of 1996 – HIPAA for short – mandated that the US Department of Health and Human Services (HHS) develop regulations to protect the privacy and security of certain medical information. HHS complied with what’s known as the HIPAA Privacy Rule and the HIPAA Security Rule.
HIPAA rules require “covered entities” to secure individually identifiable health information, which is generally referred to as “electronic protected health information” or e-PHI. The entities covered by HIPAA include doctors, hospitals, pharmacies, clinics, and imaging centers as well as insurance companies, HMOs, and business associates of healthcare providers. According to HHS:
“Individually identifiable health information” is information, including demographic data, that relates to:
and that identifies the individual or for which there is a reasonable basis to believe can be used to identify the individual. Individually identifiable health information includes many common identifiers (e.g., name, address, birth date, Social Security Number).
The regulations provide detailed requirements for both technical and physical safeguards that must be applied, including assessment of risks.
Civil penalties for violating HIPAA privacy and security requirements can reach up to $1.9 million. Criminal penalties for negligent or intentional release of PHI can include fines up to $250,000 and up to ten years in jail, with stiffest penalties imposed for “wrongful disclosure of PHI under false pretenses with malicious intent.”
Consider this paradox: On one hand, governments require the healthcare industry to protect sensitive information or face substantial penalties. Yet they also encourage interoperability to make sharing information easier between health care providers. In addition, once information is available electronically, consumers can also access their own healthcare data online.
Sharing data with others – even with the consumers to whom the data belongs – introduces risks, because no provider has full control over the digital environment in which they operate. What if a different healthcare provider who is authorized to accesses your system unknowingly uploads malware into your EMR system? What if the EMR access credentials of a business associate have been compromised? Your company – and possibly you, personally – are potentially liable if e-PHI is compromised.
It’s not enough to make sure that in-house users, accessing systems from managed devices, pose no risk to HIPAA compliance. Your EMR system must be secured against potential data exposure, intentional or accidental, through threats introduced by any user, on any device, who might access the system (or try to) – employees, third-party users, patients, or cybercriminals.
In addition to the financial, legal and reputational damage that results from sensitive patient data being exposed, a successful cyberattack can disrupt a healthcare provider’s operations and negatively impact their ability to deliver critical patient care. A 2021 cyberattack on Ireland’s Health Service Executive led to a nationwide shut down of all its IT operations that lasted for months. Many appointments had to be cancelled including, for a time, all outpatient and radiology appointments. More recently, criminals breached Medibank, Australia’s leading health insurer, stealing personal data of 9.7 million individuals and releasing sensitive personal data, including the names of policy holders who terminated pregnancies, and raising concern that people might refrain from seeking medical care due to fear of exposure.
Healthcare providers can take several steps to protect themselves from the vulnerabilities that come with allowing access to IT assets by internal users via BYOD as well as third parties, including external healthcare providers, other parties in the healthcare supply chain, or patients checking their own records.
Web Application Isolation (WAI). Isolating applications protects them from being compromised by a malicious user. Users are free to use the EMT system, in accordance with policy-based controls. Cloud-based isolation ensures that even if a user’s device is infected, no malware can spread to your system. Additionally, WAI cloaks web-facing surfaces of private apps, SASE and cloud applications, so no code is exposed to threat actors seeking vulnerabilities or ways to inject malicious code.
Microsegmentation and Identity and Access Management (IAM). Zero Trust network access (ZTNA) leverages built-in IAM and microsegmentation to enforce least privilege access, ensuring that each user can access only the data they need and are authorized to see. It also enforces multi-factor access safeguards against login using stolen credentials.
Remote Browser Isolation (RBI). Remote browser isolation enables data loss prevention (DLP) controls to be applied to ensure that no e-PHI or other restricted data is downloaded to user devices, and that no malware is uploaded to EMR systems via attachments or encrypted files.
It is challenging to provide EMR interoperability while enforcing strict protections for health data privacy and confidentiality. However, with the right precautions it’s possible to achieve both.
The protections recommended above are just a few of the elements required for a secure cybersecurity environment in a healthcare organization. The best way to keep sensitive health data protected is with a comprehensive, Zero Trust-based service such as ZTEdge, a Secure Service Edge (SSE) cloud-native platform that provides comprehensive cybersecurity that is simple to manage, easily integrated with existing infrastructure and affordable for organizations of all sizes.
“Operation Duck Hunt” Shuts Down QakBot Botnet
The FBI-led takedown of Qakbot was an operation that involved seven countries. Malware was removed from 700,000 computers. But don’t think all that makes you safe.
How GenAI is Supercharging Zero-Day Cyberattacks
Generative AI empowers its users to work fast, better and more efficiently. Alas, this includes cybercriminals, who are using malicious GenAI platforms to accelerate zero-day exploit creation.
Cybercriminals Disdain the Law, But Find Law Firms Attractive
Cybercriminals love the multiplier effect they get from attacking law firms: Hack in, and they get firm data PLUS juicy confidential client info.