HIPAA Compliance is Not Enough

The idea of healthcare data security has changed dramatically in the last 21 years, since the Health Insurance Portability & Accountability Act (HIPAA) was passed in 1996.

As explained by the Digital Guardian, HIPAA sets the standard for sensitive patient data protection, and companies that deal with protected health information (PHI) must have physical, network, and process security measures in place and follow them to ensure HIPAA Compliance.

Is being HIPAA complaint enough?

Perhaps it’s not enough. According to Protenus, since the start of 2017, there has been a consistent trend of seeing an average of more than one health data breach per day. Protenus reported that there were over 5.5 million patient records breached in 2017. The report also noted that compared to 2016, the healthcare industry experienced a slight increase in the number of breaches reported, from 450 in 2016 compared to 477 in 2017. In 2016, 27,314,647 records were affected by health data breaches, over five times greater than the number of records affected in 2017, as the result of several large hacking incidents in mid-2016.

There has been a significant rise in hacking which has become very sophisticated with time. Tracking data on a daily basis may help in reducing the instances of a data breach and keeping the hackers at bay, but still, it is not a foolproof plan. Also, not only do you need to worry about threats of outside hackers, but you also need to track internal activities and prevent any insider data breach from occurring.

As reported in the 2017 State of Privacy and Security Awareness Report by MediaPro, based on 1,000+ employees surveyed across the U.S., 78% of healthcare workers surveyed lacked data privacy and security preparedness. This is due to the lack of training provided to healthcare workers. As per the report, approximately one-quarter of physicians and other types of direct healthcare providers surveyed showed a paucity of phishing email awareness. 8% of non-provider employees surveyed, including office workers, showed the same lack of awareness.

No healthcare organization can guarantee that it will never experience a data breach or a cybersecurity incident. But creating and implementing a comprehensive workforce training and education program that is regularly updated can help minimize the chances of an incident occurring. 

Do you know why HIPAA compliance is not enough?

Most companies say they are “HIPAA compliant”, but they are merely following only few HIPAA rules and best practices. Also, by now, all of healthcare industry is familiar with the HIPAA regulations and its purpose to ensure confidentially, integrity, and availability of any patient data created, received, maintained or transmitted, while simultaneously protecting data against threats. But as per the reported news and published reports, data breaches in the healthcare industry have increased, which makes it clear that HIPAA serves as a regulatory baseline for data protection but does not offer a comprehensive security for today’s evolving threats.

The rise in breach is, in part, due to HIPAA’s unclear standards on appropriate protection of data and devices that contain sensitive data. Organizations implement controls that are insufficient and do not adequately correlate to the applicable risk assessments because of HIPAA’s vague guidelines. Organizations rarely have the internal expertise and oversight to cover all of HIPAA’s required and “optional” measures. However, HITRUST closes the gap and provides clear standards for data protection.

HITRUST CSF (Health Information Trust Alliance CSF) was developed in aggregation with healthcare employees to address their requirements. It helps organizations by providing an efficient framework for logical and physical security needs that go beyond HIPAA compliance. The HITRUST CSF integrates many existing requirements from HIPAA and other data protection frameworks to create a universal protection standard, void of any inconsistencies. HIPAA is a protocol which needs to be followed thoroughly and should not be ignored, but HITRUST is a prescriptive approach to meeting HIPAA security requirements.

To learn more about HIPAA/HITRUST Certification, please visit https://www.cautelalabs.com/.