Smaller healthcare entities have been reluctant to install cybersecurity protection and so they have become the preferred target of ransomware hackers. Healthcare is also a good target for hackers as the entities pay the ransom of Bitcoin very quickly when access to the patient database is blocked and the hackers threaten to delete the patient records. The healthcare entities have to pay twice with a ransomware attack, once to the hackers to release the patient data, and secondly they have to notify the department of Health and Human Services (HHS) of the data breach within 30 days (Rule – 45 CFR §§ 164.400-414), and subsequently pay a fine corresponding to the number of patient records that were breached.

Healthcare entities should have better cybersecurity in place than other businesses as they have to comply with HIPAA security rule data access control requirements. Large entities like hospitals and insurance companies have implemented an excellent project developed by Cisco for compliance with the HIPAA security rule. However the cost of this project implementation is in the range of $250K, out of the reach of smaller entities.

We developed a low cost cybersecurity product five years ago that implemented the HIPAA security rule access control requirements for smaller healthcare entities. We communicated our project information to HHS staff in Washington who agreed with the project scope. However we had to abandon the project as the healthcare entities that evaluated the product decided for various reasons that they did not require additional and complicated cybersecurity.

We urge all smaller healthcare entities to call a cybersecurity consultant who is familiar with the HIPAA security rule and implement the recommendations given, especially with regard to the HIPAA security rule access control requirements.

Although cybersecurity tools that comply with the HIPAA security rule costs money to install and makes the work of staff complicated (2-factor authentication login, etc) it will reduce the risk of a cyber attack. Any entity that has to pay a ransom plus a fine and in additional have work disrupted for several days plus possible life-threatening risks to patients will realize how cheap and easy the HIPAA security rule is to implement and use.

The HIPAA security rule is summarized on the HHS website, open this link.

The healthcare entity IT staff or contractor have to implement the following HIPAA security rules.

• Facility Access and Control. A covered entity must limit physical access to its facilities while ensuring that authorized access is allowed.
• Workstation and Device Security. A covered entity must implement policies and procedures to specify proper use of and access to workstations and electronic media. A covered entity also must have in place policies and procedures regarding the transfer, removal, disposal, and re-use of electronic media, to ensure appropriate protection of electronic protected health information (e-PHI) (electronic Protected Health Information).
  
  

• Access Control. A covered entity must implement technical policies and procedures that allow only authorized persons to access electronic protected health information (e-PHI).
• Audit Controls. A covered entity must implement hardware, software, and/or procedural mechanisms to record and examine access and other activity in information systems that contain or use e-PHI.
• Integrity Controls. A covered entity must implement policies and procedures to ensure that e-PHI is not improperly altered or destroyed. Electronic measures must be put in place to confirm that e-PHI has not been improperly altered or destroyed.
• Transmission Security. A covered entity must implement technical security measures that guard against unauthorized access to e-PHI that is being transmitted over an electronic network.
  
  

To summarize physical safeguards, some type of access control using thumbprints is indicated to get access to facilities. Workstation access should include the prevention of any software being installed on the device, which means blocking USB ports with a key, and installing software that will prevent the download and installation of software.

To summarize technical safeguards, technical policies and procedures require constant staff training for implementation. Access control and Audit controls require the installation of equipment that requires authentication of a user to permit that user to have access to the computer network where the data is stored. HHS recommends implementing 2-factor authentication of each user, so that an access code is sent to the users phone at login. Audit requires that each user login is recorded and each user logout is recorded. If possible the log should also identify the applications and that the user accessed while logged in. Patient data must be encrypted when send over a data network.

The data network should also have safeguards for the Internet connection with a firewall that prevents entry from the internet, and an outbound filter that permits access to authorized websites only.

Does the implementation of the HIPAA security rule require extra effort on the part of staff to access information. The answer is yes, but the entity needs only one cyber attack to realize the benefit of controlling access to patient data. 

Doctors have said that the HIPAA security rule prevents fast access to information in the case of an emergency. This is not the case as the HIPAA security rule includes a fast emergency access to patient data. The rule also requires that the administrator is immediately informed of the emergency data access and must follow up to verify that the access was legitimate.   

We have spent many man-hours implementing the HIPAA security rule on network access control equipment and can give advice on the requirements for this implementation.

Please contact us if you have any questions.