Mandatory Measures On The Horizon
By Laura Freeman
HIPPA security precautions previously considered optional are likely to soon become mandatory. Once finalized, getting upgrades in place in the rush to comply could take a while. To avoid a time crunch before the deadline, specialists in HIPPA security are recommending that providers get started now evaluating where they are and what they will need to do to meet the new security rules.
“Healthcare is the number one target of cyber criminals around the world, and they seem to continue finding new ways to get around the security efforts of hospitals and practices. That’s why HIPPA rules for Electronic Protected Health Information (ePHI) are becoming more stringent,” Ron Shoe, CEO and Chief Cybertechnologist of SIP Oasis, said.
Beyond the regulatory consequences of failing to meet HIPPA requirements, inadequate digital security could cost hospitals and practices millions. A hack that breeches cyber defenses could put financial information at risk of theft and open the door to a ransomware attack. Potentially even more devastating are class action lawsuits if patient identity and financial information or medical records are exposed.
“Insurance is available to offer some degree of protection against ransomware and liability, but for claims to be paid, you’re only as safe as you can prove in a court of law that your data is safe. You have to have evidence that you took all reasonable measures to protect information, and that starts with being able to show you complied with all HIPPA security rules,” Shoe said.
The Notice of Proposed Rulemaking (NPRM) has been posted for comments. Updates are expected to be finalized in a few months, with enforcement coming after an implementation period. As of now, proposed rule changes include mandatory multi-factor authentication, biannual vulnerability scans and annual penetration tests. The changes also call for mandatory encryption of all ePHI, network segmentation, asset and network inventory and log retention.
“It will take some work to implement the updates and confirm that you are in compliance with the new rules, but in the end the changes should put providers in a more defensible position,” Shoe said. “You’ll have a record of your security efforts if you ever need evidence of due diligence.
“The important thing in planning upgrades is to make sure you’re getting advice from someone who has the right expertise. Just as yoga teachers and weight trainers are both in the fitness world but do very different things, there are also different digital specialties. The person who installed your computers may be a wizard at getting printers to work, but they may not know anything about HIPPA rules. You need someone who can determine whether encryption software you’re considering will meet requirements, set up vulnerability scans and penetration tests, and understand what devices should be inventoried and the types of data to be logged.”
With cyber security measures implemented, providers’ digital files are less likely to be hacked in the first place. Keeping data safe is also a matter of mindset and training.
“Around 91 percent of cyber hacks begin with a click on an e-mail, and about 19 percent of people will click on a fishing email,” Shoe said. “All staff with online access should be trained to recognize and avoid them. As AI gets better at spoofing voices, photos and other identifying information, the challenges will likely grow.
“Cyber attacks are becoming a growing part of organized crime, particularly those coming from countries with no extradition agreement. The bad guys are getting better, and to make it even easier for them, ransomware is now available as a service that can be rented with the creator paid a percentage of the money taken from the victim.”
There is always the option of refusing to pay ransom, but it could quickly become even more expensive. In one case, a hacker’s retribution for a provider who wouldn’t or couldn’t pay was to post naked photos of cancer patients online. Lawyers recruited those patients for a class action suit that ended up in a $65 million settlement.
Exposure of patient social security numbers, insurance identification, phone numbers and addresses puts them at risk for fraud and even life threatening situations. In one case, a woman with a restraining order against a violent man was hiding in another state, but had her address exposed on the dark web because of a medical breech.
Even when insurance covers a provider’s financial losses, there can still be lean months of delays waiting for reimbursements for care to come through while insurance companies and Medicare sort out which claims are real and which are false based on stolen information.
“To fight digital crime, the best strategy is prevention,” Shoe said. “Make it hard for hackers. That means keeping digital security up to date and training staff to be wary and vigilant.”