What you need to know about protecting sensitive healthcare information
One of the most reassuring aspects of visiting your doctor or healthcare provider is knowing that everything you discuss is confidential. You have questions about that itchy rash on your back? It stays between you and your doctor. Want to discuss hair loss or weight gain? That conversation never leaves the exam room.
But what happens when your medical records are disclosed without your knowledge?
The Concerning Reality of Medical Record Breaches
It happens more often than you might think. According to the HIPAA Journal, medical record breaches happen regularly and are only increasing. In May 2022, more than 4.4 million people had their records exposed or stolen. That’s an increase of almost 40% above the average number of records breached each month over the past year. Most of the records stolen came from hacking and IT incidents, where network servers and emails were compromised.
Healthcare systems have large attack surfaces with vulnerabilities that criminals can easily exploit. And full medical records are a treasure trove of critical identifying information: full name, date and place of birth, social security number, physical and email addresses, and credit card information. Complete records can net as much as $1,000, making healthcare systems enticing targets.
Another cause for concern is that healthcare organizations lag behind other industries in cybersecurity preparedness. In a comprehensive review of medical cybersecurity, The Brookings Institution reports that the healthcare industry takes an average of 235 days to detect a breach and an additional 93 days to mitigate the damage. And the impact on the business’s bottom line is catastrophic: the average cost of a data breach is more than $9.2 million.
HIPAA Access Control Policy Provides a Security Framework
What can healthcare organizations do to tighten up security and safeguard sensitive, protected personal and health information? It starts with the HIPAA Security Rule and HIPAA Technical Safeguards
What Does the HIPAA Security Rule Protect?
Think about visiting the doctor. When you arrive, you check in with a receptionist. They verify your name, birth date, mailing address, and payment information, and they may also process your copay using your credit card. Next, a medical assistant or nurse comes in and takes your vitals and health history, which they enter into your electronic medical record via a tablet or computer. Then, when you see the doctor, they type notes and treatment plans into your medical record. Finally, when you leave, you check out with another person who also accesses your record to schedule future appointments and print a visit summary. In a single visit, at least four different people accessed your medical records.
Protecting your medical data during this type of routine access to medical records is just one of the many instances that HIPAA access control seeks to address. The HIPAA Security Rule establishes standards to protect patient data at every level, from administrative to physical to technical, to protect health information.
Compliance with HIPAA Technical Safeguards
Flowing from the HIPAA Security Rule, HIPAA technical safeguards cover the technology, policies, and procedures that protect electronic medical records. While the HIPAA Security Rule requires compliance with technical safeguards, it also allows organizations the flexibility to determine which technical security measures to implement. A few of the standards that drastically enhance security are: Person or Entity Authentication, Access Control, and Audit Controls.
HIPAA Multi Factor Authentication
We’ve already seen how often healthcare providers access records during routine visits. It sounds obvious, but this is why it’s critical to ensure that the people or entities seeking access to records have the right to do so.
Person or Entity Authentication seeks to do just that by verifying identity. We often think of user credentials (username and password) to help confirm identity, but credential compromise is frequent.
An important step towards compliance is HIPAA multi-factor authentication (MFA). Also known as two-factor authentication (2FA), it provides an additional layer of authentication to secure access to personal information and medical records. HIPAA MFA requires multiple steps of authentication before granting access to sensitive data. For example, your physician might be required to provide a username and password, along with a second factor, such as a one-time code, before gaining access to your medical record.
This additional layer of HIPAA security helps prevent unauthorized access to data. So even if an unauthorized user has a valid username and password, they can’t access protected health information (PHI) without also providing the second factor. Not only does HIPAA 2fa assist with compliance fulfillment, but it’s also just good sense for healthcare organizations to implement this higher level of security.
HIPAA Access Controls
In addition to authenticating a user’s identity, there are other important steps to take to meet HIPAA technical safeguards. Several of the main areas of oversight fall under the broader umbrella of HIPAA Access Control Policy, which includes Unique User Identification and Automatic Logoff.
Unique User Identification
Unique User IDs are special names or numbers that are assigned to identify and track individual users. These are often called a “Logon Name” or “User ID.” These unique credentials help ensure that a person is whom they say they are, and that they are allowed to access the data they’re seeking.
This helps secure data by eliminating shared logins and passwords, thus ensuring correct user identification. It also prevents logins from being compromised by threat actors, either internally or externally.
Security solutions like UserLock can be set up to allow or deny access based on contextual factors, such as location, workstation, device, and time. This prevents unauthorized users from circumventing the system to gain access to sensitive health information.
When a system has Automatic Logoff enabled, it terminates a user’s session after a set amount of time. IS Decisions research has shown that 62% of healthcare workers aren’t automatically logged off of the network after a set period of inactivity. It’s compelling evidence that logoff procedures should not be left to the user to remember.
Automatic logoff effectively ensures data security by shutting down access on an inactive workstation or device. With UserLock, IT admins can ensure both Unique User Identification as well as Automatic Logoff to enhance data security.
HIPAA Audit Controls
Audit Controls exist to record and examine activity related to electronically protected health information. For example, UserLock records, centralizes, and audits network logons. In the unfortunate case of a breach, this type of oversight is useful because logs can be reviewed after an event to support IT forensics. In addition, Audit Controls help manage user access by confirming a user’s identity and making them accountable for malicious activity.
Get HIPAA Compliant With MFA and Access Management
With the rise in medical data breaches and the high price this stolen data brings, it’s clear that meeting HIPAA MFA, access management, and audit controls should be a priority for every healthcare organization. Security solutions like UserLock MFA provide the technical expertise necessary to implement important components of these standards to secure protected health information.