Heather
Gray

Best security practices to protect your HIPAA database

Heather Gray

Jan 13, 2022

15 min read

The Healthcare Insurance Portability and Accountability Act (HIPAA) which came into effect in 1996 paved the way for the Department of Human and Health Services (HHS) to set certain standards for covered entities and other organizations to protect their HIPAA database.  

It’s important that every HIPAA compliant provider take up the necessary administrative, technical and physical safeguards while handling critical and sensitive information about patients.

Why? Firstly, it helps them and other business associates to prevent paying hefty fines. Secondly, you can set the minds of your patients at ease knowing their sensitive information are always in safe hands. In this blog, we’ll cover some of the best practices organizations can implement to protect their HIPAA database.  

HIPAA – A brief history

Privacy Rule

  • Initially proposed in 1999, the privacy rule came into effect in 2000.
  • It sets the standard for safeguarding Protected Health Information (PHI).
  • It permits patients to have access to their personal health data.
  • Revisions were made within the rule mandating the Office of Civil Rights (OCR), an agency part of the HSS to be the one to enforce HIPAA.

Security Rule

  • Proposed in 1998, the security rule was passed in 2003.
  • The entire purpose of this rule is to protect an individual’s health related information shared between healthcare providers, health plans and organizations.

HIPAA Enforcement Rule

  • This rule was enforced in 2005, after many covered entities failed to comply with the privacy and security rule.
  • It gave HHS the authority to search for covered entities with complaints made against them and impose financial penalties on those found to be non-compliant.
  • If the PHI of an individual was shared without their consent, they now had the right to file legal action against the covered entity that shared the information.

HITECH Act

  • The Health Information Technology for Economic and Clinical Health Act (HITECH) encouraged healthcare providers to use Electronic Health Records (EHR).
  • This act imposed a much higher fine than the financial penalties imposed by the HIPAA Enforcement Rule.
  • In 2009, the passing of the Breach Notification Rule mandated that breach of ePHI by a covered entity affecting more than 500 individuals should be immediately reported to the OCR and a notice should be send to all individuals who could be affected by the breach.

Omnibus Rule

  • The rule which came into effect in 2013 strengthens the existing laws by defining how patient information should be used for marketing purposes.
  • It states healthcare providers to take up the responsibility to report even minor data breaches.
  • All business associates and subcontractors should be liable for their own breaches and must be compliant with HIPAA’s critical privacy and security requirements.

When can covered entities disclose PHI?

“Covered
Covered entities should take care when disclosing PHI
 

The main purpose behind the privacy rule is to limit the circumstances in which an individual’s health information can be disclosed.

They cannot disclose the information unless:

  • The privacy rule permits it.
  • The person who is subject of the information authorizes it in writing.

However, there are situations in which PHI needs to be disclosed, these required disclosures can take place if:

  • Individuals specifically request access to their protected health information.
  • The Health and Human Services (HHS) undertakes a compliance investigation or review or enforcement action.

It is optional under the Privacy Rule to obtain consent or a written permission from individuals to disclose their PHI. The content of the consent and the process by which it will be obtained will depend on the covered entity.

How do you implement the privacy rule?

“Ensuring information always remains safe from unauthorized access
Ensuring information always remains safe from unauthorized access
 
  • They should have documented policies and procedures that comply with the Privacy Rule.
  • Appoint a privacy official to implement the policies and procedures.
  • Appoint a contact official to receive complaints and create awareness among employees on the written policies and procedures.
  • Train all employees on the privacy policies and procedures.
  • Mitigate harmful effects caused by the disclosure of PHI or the violation of the policies and procedures.
  • Maintain appropriate administrative, physical and technical safeguards to prevent the intentional or unintentional disclosure of PHI and secure HIPAA database.
  • Employees should be able to complain against the written policies and procedures. The covered entity should be able to clearly state who employees can submit the complaints to.
  • Information and data should be retained 6 years after date of creation or the last effective date.

Tips to protect your HIPAA database

Trying to be HIPAA compliant from scratch can be a difficult thing to do, these tips which have been based on the technical and physical safeguards can help admins and others within your IT security team to create the checklist your organization needs to follow to ensure all the right measures are in place.

1. Use encryption to protect ePHI

Encryption helps secure transmission of ePHI with patients and business associates. It scrambles a text in a readable format to an unreadable one, making sure only authorized parties have access to it. They would be able to decipher or decode the random text with the help of a key.

This can significantly reduce the chance of a breach as it limits unauthorized users from accessing or modifying the data in any way.

How Hexnode helps:

FileVault and BitLocker can be remotely pushed onto the managed devices. Admins can regularly monitor the state of the devices to ensure they stay encrypted at all times.

2. Implement strict access control and verify everyone seeking access to ePHI

Access to the HIPAA database should only be given to those who are required to have them as part of their duties or designation. Access can be controlled by deploying unique passwords or automatically locking the devices after a set interval.

How Hexnode helps:

Hexnode helps IT admins to define strong password rules that restricts users from creating simple, predictable password patterns and remind them to update their passwords at regular intervals. You can define the number of failed attempts a user can make before the device is locked. This stops unauthorized parties from getting their hands on sensitive ePHI present within the devices.

Sometimes an idle computer can be just as dangerous as an unlocked one. Combine the two and you have a data breach just waiting to happen. Admins can automatically lock the devices after they have been idle for a pre-defined time interval. Work containers can be created on personal device of employees and separate passwords can be set within those containers.

3. Maintain appropriate audit control

The least HIPAA mandates organizations to do is to minimize the sharing of ePHI. Access shouldn’t be given to employees unless it has been specifically stated within their job roles.

Maintaining a proper audit trail over your organization’s hardware and software can give your IT admin, compliance team and members of the upper management a clear picture of how ePHI is being processed and by whom.

How Hexnode helps:

Information on the managed devices and the applications employees work with can be obtained via detailed reports. Admins can keep a proper watch over the devices right from the moment it is enrolled to its disenrollment and be immediately notified if a device falls out of compliance.

A corporate wipe or a complete wipe can be initiated on these devices to ensure they stay protected even when they are no longer managed by the organization.

4. Control the use of removable media and external drives

Removable media such as USB drives and other portable hard drives makes it easier for employees to store and transport the data they need to work with.

Though they are used to backup important files and other corporate resources, it’s high time for organizations to limit their usage as they can come with a multitude of risks if not monitored properly. Some of these would include compromised device security and injection of malicious code or malware.

How Hexnode helps:

Hexnode allows the configuration of external drives, internal drives and optical media on macOS devices. Admins could either permit or deny the usage of the media or bring in extra security by authenticating users who use them.

Restrictions can be placed to restrict file transfer via USB, bluetooth, Android Beam etc. Users can even be prevented from copying texts from a secured application to an unsecured one.

5. Implement web content filtering to block access to risky websites

Implementing web content filtering can help organizations address some commonly faced issues such as access to inappropriate content, malware infiltration and loss of productivity. This enables them to have a strict control over what employees share online and greatly limit the chance of a data leakage to occur.

How Hexnode helps:

Enhance data security by blacklisting malicious and unproductive websites and whitelist those required by your organization. The managed devices can also be locked down to function with just a set of whitelisted websites and limit the device’s other functionalities at the same time.

6. Configure Wi-Fi and VPN settings to secure network connectivity

Remote work has redefined the way in which employees can work from anywhere. Though it gives employees and business associates the flexibility to work from a place of their own choosing, having them connect to an unsecure network not approved by your organization can compromise the integrity of the HIPAA database.

It’s a comfy thought to work in your favourite café with a free Wi-Fi on board, but just think about all the risks you’ll be subjecting your organization to with hijacked accounts, phishing attempts and compromised passwords.

How Hexnode helps:

Admins can push policies to devices to ensure they always stay connected to a corporate approved network when accessed remotely. Restrictions can be set to enable users to connect with either Wi-Fi or mobile data.

Data usage of all the applications can be monitored and reports can be generated to keep track of the applications used within the organization. VPN help users to stay secure when using public Wi-Fi by providing them with an encrypted and private browsing session. Hexnode helps admins to configure the VPN settings and have it listed among the number of available networks.

7. Extend protection to lost or stolen devices

Restrictions should be placed in a way that it ensures complete protection of the devices even if they fall under the misfortune of being either lost or stolen. They should at the minimum be locked with a complex password and have encryption enabled to protect all the information being stored and processed within the device.

How Hexnode helps:

As soon as a device is either lost or stolen, admins can restrict unauthorized users from accessing it by remotely locking the device from the UEM portal. A corporate or a full device wipe can be initiated to strengthen the data protection. Other implementations include enabling lost mode, remote ring and monitoring the device location.

8. Update outdated operating systems and applications

Working with an outdated operating system can be incredibly risky. They open doors for all sorts of vulnerabilities to set in and leave IT admins scrambling for adequate support if an issue does crop up. Most vendors stop lending support to older versions of their respective operating systems.

This is done in part to encourage users to update their OS. As IT security continues to evolve, it’s always best to stay updated with all the fixes and security features that come with each release. The same applies for applications as well.

How Hexnode helps:

OS updates can be remotely pushed to the devices from the portal. The updates could either be done automatically, scheduled during inactive hours or postpone for later.

Admins can ensure users always have the right software at their disposal by upgrading and downgrading both enterprise and store applications remotely. App configurations and permissions can be pre-configured to make sure employees do not enable any of the settings not approved by the organization.

Securing HIPAA database with administrative safeguards

“Looking
Looking beyond tools and software
 

Though relying on tools such as a UEM solution help organizations come a long way in becoming HIPAA compliant, there are certain measures organizations and covered entities need to implement on their own to ensure continuity of information security of the ePHI they handle.

Document and implement the required policies and procedures

Make a note of all the requirements your organization would need in improving its security infrastructure. This could include updating the existing password policy and acceptable use policy of your organization’s information systems. Once the policies and procedures have been documented and approved by the upper management, they should be actively implemented by every employee.

Assign appropriate responsibilities

Roles and responsibilities of competent employees who are a part of implementing these policies should be evaluated on a periodic basis. Training should be conducted to make sure they stay updated with the latest industry specific and regulatory requirements.

Monitor and manage risks by conducting a risk analysis

Risk analysis should be an ongoing process. Once the risks have been identified, they should be assessed and treated. It’s not possible to treat every risk you identify. When you come up with a risk that cannot be treated satisfactorily, it should be lowered down to an acceptable level. This can be done by implementing various technical and operational controls.

Provide security awareness training

It’s not enough for employees to just read the policies you have documented. They should play an active part in applying it within their team and in the work they do. Providing awareness training to any updates to HIPAA shouldn’t just be restricted to your IT security team, compliance and legal team.

They should be shared to all employees within the organization. It would be much easier for them to understand and comply with any updates to your organization’s policies if they get a clear picture on the reason behind those updates.

Have procedures in place to manage information security incidents

No matter how robust your policies maybe, there’s always a chance for an information security incident to occur. The key to effectively manage those incidents and minimize the blow of its impact is to have a process or a plan in place that has been properly documented and evaluated. The plan could include:

  • Listing out various types of incidents.
  • How employees should respond to the incidents.
  • How the evidence is to be collected and preserved.
  • Documenting the incident and its outcomes.
  • Evaluating the incident

Ensure data can be easily retrieved and accessed

Strategies should be implemented to make sure ePHI can be accessed even during emergencies such as the occurrence of natural or man-made disasters or cybersecurity attacks.

ePHI should always be available whenever it is needed. Organizations and covered entities should establish policies and procedures to efficiently respond to any incident that could damage the information systems harbouring the ePHI. Some of the implementations that organizations could follow include:

  • Have backups of all important data.
  • Document and test the Disaster Recovery Plan.
  • Analyze critical application and data.
  • Have an Emergency Mode Operation Plan.
  • Follow the Emergency Access Procedure.

Emergency access procedure are operational practices employees need to follow to access ePHI during an emergency situation. Access controls during these circumstances will be different from those used on a daily basis.

Organizations and covered entities should determine the type of information that would require emergency access to ePHI and employees should be given adequate training on how to access ePHI during the emergency.

What else should organizations be aware of?

Recent updates have been made to the HIPAA rule to make it easier for patients to have access to their PHI and decrease the administrative workload on the healthcare organizations and other covered entities. Some of the changes to the HIPAA rule include:

  • Shortening the time for a healthcare provider to respond to a PHI request from an individual to access their own healthcare data from 30 days to 15 days.
  • Permit patients to check PHI on their own.
  • Allow covered entities to charge fees for providing ePHI.

A unified endpoint management solution like Hexnode helps organizations stay HIPAA compliant and minimize the occurrence of a data breach by taking care of every single aspect of the device managed by the organization.

 

Disclaimer: This article and the information in it do not constitute legal advice and is intended to support customers in their compliance efforts.

Share
  •  
  •  
  •  
  •  
  •  

Heather Gray

Technical Blogger @ Hexnode. Reading and writing helps me to stay sane.

Share your thoughts