5 Technological Measures to Prevent HIPAA Violations Caused by Insiders

HIPAA compliance to protect patient health information (PHI) on physical or electronic media is essential for healthcare organizations. Failing to comply with HIPAA threatens organizations’ financials due to potentially heavy fines—ranging from $100,000 to $16,000,000 in total fine per entity, depending on its nature and gravity—and the reputation due to broken trust of patients who feel that their information may be in danger.

Failure to comply with HIPAA can be classified as typical data breach incidents since it involves confidential data being exposed accidentally or maliciously by internal or external factors. However, HIPAA violations show distinct characteristic when discussing their causes: insider breaches are a major problem in healthcare, yet many insider breaches go undetected. According to Protected Health Information Data Breach Report by Verizon, 58% of incidents involved insiders—healthcare is the only industry in which internal actors are the biggest threat to an organization.

Insiders in healthcare can be labeled as individuals with authorization to access healthcare resources that include electronic medical records, networks, email accounts, or documents containing PHI. Unfortunately, some healthcare insiders are known to be unaware of the HIPAA rules and the repercussions for breaching the rules. A healthcare survey by Veriphyr, HIPAA compliance solution developer, found that 35% of healthcare “insiders” had snooped into medical records of fellow employees, and 27% had accessed the medical records of family and friends. Here are some of the eye-opening, insider-involved HIPAA violation that caused organizations considerable damage.

  1. A health organization was fined $3,000,000 for making ePHI-containing files accessible over the internet without the need for a username or password after it accidentally removed the protection on servers. ePHI of 62,500 patients were exposed.
  2. A private dermatology clinic group was fined $150,000 and required to install a corrective action plan for losing an unencrypted USB drive that contained protected ePHI.
  3. A cardiology group paid $100,000 settlement for disclosing surgical and clinical appointments for patients on the cloud-based, internet-accessible calendar.
  4. A surgeon at UCLA School of Medicine was sentenced to 4 months in prison and fined $2,000 after he illegally accessed medical records system over 300 times, viewing ePHI of his colleagues and high-profile celebrities.

These cases show that HIPAA violations caused by insiders happen without the organizations suspecting, under their noses. In a review of 306 data breaches in healthcare, shown to be caused by insiders, 48% were financially motivated, and 31% were motivated by fun or curiosity, according to the Verizon report. Interestingly, another 10% were motivated by convenience. When insiders do something that will make it easier for them to get their work done, it also carries a possibility of putting confidential ePHI at risk.

To prevent these insider-caused violations, organizations follow the three safeguards—administrative, physical, and technological—of the HIPAA Security Rule. Among the three, technological safeguards are considered to be most difficult, thus making organizations focus on the administrative and physical safeguards instead for these reasons below.

  1. For healthcare staff, protection of ePHI and other HIPAA-related issues are not as important as their daily routine; they may make unethical or careless choices that lead to HIPAA violations.
  2. IT security gaps in healthcare are difficult to reduce, due to the complex combination of past and future—large volume of accumulated data, legacy medical or information processing systems, and implementation of the modern technologies.
  3. Following all three safeguards is expensive, and not all organizations can cover the costs, especially the smaller, local clinics or other health care businesses. Therefore, organizations may opt to prioritize in educating and training the staff about HIPAA and ePHI protection.

Common administrative and physical safeguards include organizations conducting thorough background checks when hiring new staff or contractors, holding periodic training programs to educate their employees about HIPAA and to instruct them to report suspicious activities, or limiting physical access to data points (PCs, mobile devices, medical equipment, and more).

However, there are instances for which these two safeguards cannot fully prepare—employees forgetting the rules, human mistakes, outside influences, and more. Therefore, organizations must look to technological safeguards and implement appropriate measures that will be added to aforementioned administrative and physical safeguards. Identifying the right measures is not easy for all organizations, especially for the smaller ones. Then what are the appropriate measures that will help healthcare organizations of all sizes prevent insider-caused HIPAA violations?

  1. Access control to sensitive ePHI – Giving minimum privileges for employees is the best way to ensure that none of ePHI gets into the hands of irrelevant individuals. One of the most well-known data security principles, ‘the principle of least privilege’ or PoLP in short, should be the key focus. PoLP involves implementing encryption on folders and files that contain ePHI, meaning that only the people with correct encryption keys can access those confidential files.
  2. Limiting the usage of sensitive ePHI – In addition to careful control of access to ePHI, organizations must look to integrate the second layer of defense that will ‘stop’ insiders from illegally deleting, copying, or stealing the ePHI while using it. The core data security solution is digital rights management (DRM), a commonly used solution in various organizations and industries. DRM is a response to a potentially critical scenario where trusted employees with access to ePHI turn rogue, whether driven by financial or personal motivation.
  3. Password and authentication management – Organizations must have a solid password policy that dictates specific requirements regarding password difficulty and update frequency. High password difficulty protects ePHI from not only hackers but also the employees who might be snooping around. With the added security of two-factor authentication, organizations can enforce enhanced password policy.
  4. Monitoring and auditing of employee activities – When employees access and use ePHI, it is difficult to differentiate whether they are doing so with legitimate reasons or malicious intent. HIPAA demands organizations to collect system and event logs regarding the actions taken on computer systems like operating systems, office computers, electronic health record (EHR) systems, printers, routers, and more. With the logs in check, organizations can preemptively detect anomalies to prevent insiders from causing HIPAA violations. Furthermore, audits can be performed to maintain the HIPAA-compliant security level and to identify wrongdoers if HIPAA violations have occurred.
  5. Data minimization through destruction  Essentially, less data means less possibility of HIPAA violation. Organizations can achieve data minimization by enforcing responsible data destruction policy—if certain ePHI is no longer required, or is requested to be deleted by patients, it must be completely deleted. For PHI on electronic media, HIPAA requires more than simple deletion commands or disk formatting: certified data overwriting, and disk degaussing or physical destruction are the three major data destruction methods.

Insider-caused HIPAA violations are a clear and present danger for healthcare organizations, and the common approach to tackle such danger have been only about educating the employees or practicing policies through legal documents. However, when insiders access or use ePHI, their actions are unpredictable and even worse, wrongdoings may not go undetected, under the nose of the organizations. Therefore, it is highly recommended that technological measures, which will actually ‘stop’ insiders from causing HIPAA violations, are enforced.

With so many data security solutions available in the market, organizations can find it hard to implement technological measures that fit their needs and requirements. With the five appropriate measures listed above, organizations can set HIPAA-compliant data security architecture that can respond to insider threats that may be undetectable and unpredictable.


HIPAA Security and Compliance: Three Safeguards

The Health Insurance Portability and Accountability Act, or HIPAA, is a legislation which provides security provisions and data privacy, to keep patients’ medical information safe. It came into effect in 1996, but 2005 was when the notion of electronic patient health information, or ePHI, and the protection thereof was introduced. In 2005, HIPPA security rules were laid down in the form of three security safeguards – administrative, physical, and technical – which must be observed for HIPAA compliance. With the data volume and monetary value of ePHI growing exponentially, and cybersecurity issues looming large on a global scale, understanding these safeguards has become mandatory for all companies in medical and healthcare industries.

What is HIPAA Security Rule?

U.S. Department of Health and Human Services defines the Security Rule as “national standards to protect individuals’ electronic personal health information that is created, received, used, or maintained by a covered entity.”

As medical and healthcare industries – just as any other industries – go electronic in handling PHI for higher efficiency and productivity, the security risks involving the ePHI grow multiply. Therefore, HIPAA Security Rule was imposed as an extension to the Privacy Rule of the equivalent legislation, stating that all ePHI must be properly secured from unauthrozied access, whether the data is at rest or in motion. Furthermore, the fundamentals of Security Rule are based on the flexibility, scalability, and technology neutrality to encourage as many companies as possible to improve ePHI protection against various threats from inside and out. Thus the companies are allowed the adequate time to identify the needs and to adopt new technologiesfor the betterment of patient care and the safety of ePHI. To comply with the HIPAA Security Rule, companies are required to implement the three distinct, yet closely related types of safeguards that may sound ambiguous at first: administrative, physical, and technical.

Administrative Safeguards

“…administrative actions, and policies and procedures, to manage the selection, development, implementation, and maintenance of security measures to protect electronic protected health information and to manage the conduct of the covered entity’s workforce in relation to the protection of that information.”

The administrative safeguards cover over half of the HIPAA security requirements, focusing on the execution of security practices for the protection of ePHI. The administrative safeguards implement policies that prevent, detect, contain, and correct security violations. Moreover, they should be understood as the foundation of the Security Rule, as the companies are better off to tailor their HIPAA security measures by working around these five following safeguards.

  1. Security management process – identification and analysis of potential risks to ePHI, and subsequent implementation of security measures to reduce or, even better, eliminate those risks to a reasonable and appropriate level.
  2. Security personnel – designation of qualified individual for responsibilities regarding development and implementation of security policies for ePHI security.
  3. Information access management – enforcement of policies and procedures that limit the uses and disclosures of ePHI to a level of “minimum necessary.”
  4. Workforce training and management – provision of training for and management of workforce responsible for handling of ePHI, and appropriate sanctions against violation of the policy and procedures.
  5. Evaluation – periodic assessment on the companies’ ability to meet the HIPAA requirements through the security policies and procedures

By laying down a solid administrative groundwork for ePHI security and HIPAA compliance, companies can establish an organization-wide policies and procedures that dictate data security and the action plan to follow should the unexpected breaches occur.

Physical Safeguards

“…physical measures, policies, and procedures to protect a covered entity’s electronic information systems and related buildings and equipment, from natural and environmental hazards, and unauthorized intrusion.”

From physician’s home PC to designated data centers for university hospitals, ePHI resides in various electronic assets and media. Physical safeguards are the implementation standards to physical access to information systems, equipment, and facilities:

  1. Facility access and control – limitation of physical access to facilities that contain ePHI, with the exception of authorized access.
  2. Workstation and device security – implementation of policies and procedures regarding workstations and electronic media, in addition to the transfer, removal, disposal, and re-use of them for the appropriate protection of ePHI.

These physical safeguards, combined with the administrative and technical safeguards, work to ensure that ePHI are neither tempered on nor leaked through thousands of devices and assets.

Technical Safeguards

“…the technology and the policy and procedures for its use that protect electronic protected health information and control access to it.”

Perhaps the most talked-about of all, the technical safeguards are the final pieces of HIPAA Security Rule. One of the fundamental concepts of the HIPAA Security Rule is technology neutrality, which means that the rule does not require companies to adopt specific technologies. Thus the companies independently identify and satisfy their specific ePHI security needs based on these specific safeguards:

  1. Access control – implementation of technical policies and procedures for access only by authorized personnel.
  2. Audit controls – implementation of technical mechanisms to record and examine access and other activities in systems that contain or use ePHI.
  3. Integrity controls – implementation of policies and procedures, as well as technical measures, to ensure that ePHI is not improperly altered or destroyed.
  4. Transmission security – implementation of technical measures that restrict unauthorized access to ePHI in motion over electronic network.

Applied to all ePHI, the technology safeguards help companies to regulate ePHI access, use, and transmission – in other words, technical safeguards aim to protect ePHI at times where it is at most vulnerable state. Not limited to mandatory measures specified by governing authorities, companies can implement their own measures suitable for the companies’ size, industry, ePHI data volume, and etc. With growing concerns for cybersecurity threats, it is no surprise that technical safeguards are extremely crucial for medical and healthcare organizations, as well as cybersecurity companies.

Modern technologies provide efficiency and productivity when handling patient information electronically and that naturally lead to better care for patients; however, it is a double-edged sword. ePHI keeps growing in volume and value, and it attracts interests from not only companies but also cybercriminals. Thus HIPAA Security Rule was enforced to protect sensitive patient information from inherent security risks of the digital world. However, it is no easy task to meet the requirements of safeguards, and noncompliance of HIPAA ranges between $100 and $50,000 per violation. Therefore, companies must make ePHI security as a part of their daily routine and continuously monitor the situation to avoid any legal circumstances.