HIPAA Compliance in the Cybersecurity Age

Healthcare organizations face tough challenges regarding data security. They must abide by the mandates of HIPAA when dealing with protected health information (PHI).

However, HIPAA laws were established long before the age of cybersecurity, meaning they may not always provide the best safeguards.

In fact, the College of Healthcare Information Management Executives (CHIME) relayed to Congress that HIPAA rules aren’t enough to prevent data breaches.

In certain situations, they actually reduce cybersecurity defenses.

Healthcare is an attractive target for cybercriminals

The reality is that healthcare continues to be a prime target for cybercriminals. Approximately 15% of all data breaches in 2019 involved healthcare. Further, the estimated losses for the industry in 2019 were $25 billion.

With so many cyber-attacks occurring, including a vast increase in ransomware attacks, healthcare organizations are faced with massive problems related to cybersecurity.

How can they keep up and maintain HIPAA compliance?

Interoperability push could infringe upon compliance

The use of technology to promote data sharing is essential in the modern world.

While it has provided many conveniences and improved the accessibility and portability of data, it has also caused challenges. Those challenges mostly involve added costs and added burden on clinicians.

There has been a significant push for interoperability by the U.S. Department of Health and Human Services (HHS) with new proposed rules submitted. These rules are supposed to spur innovation and competition by allowing patients and providers easier access to health information.

But what are the implications for HIPAA compliance?

Most healthcare organizations are able to comply with the mandates of HIPAA regarding the collection, storage, and sharing of data. As interoperability becomes a bigger focus, it could infringe upon compliance measures.

Worse yet, the desire for access and HIPAA compliance does not equate to being protected from cybercrime.

Related Article: 

Does HIPAA strengthen cybersecurity?

If you’re HIPAA compliant, then you probably have a robust cybersecurity program, right? Not necessarily.

There isn’t a direct correlation between achieving compliance and being cybersecurity-aware. HIPAA has very specific requirements, and following them is not enough.

It’s a good first step, but it’s not going to provide comprehensive cybersecurity, especially considering that healthcare data now extends far beyond health information systems.

Now, healthcare information is part of the Big Data revolution and exists in a range of different digital ecosystems.

While much sharing of healthcare big data includes de-identified records, this doesn’t remove risk. Risk is still inherent when dealing with PHI, and there are so many ways “in” for cybercriminals.

Why HIPAA rules aren’t enough to combat cybercrime

HIPAA compliance requires a lot of resources, policies, and procedures.

Looking at exactly what HIPAA requires, it doesn’t necessarily align with cybersecurity best practices. As organizations put more emphasis on compliance and interoperability, they may not be able to give cybersecurity the same attention.

Many experts are also concerned about how the Office for Civil Rights (OCR) handles enforcement.

When a breach occurs, and an audit ensues, the OCR seems to be more invested in punishing the entity rather than helping organizations learn from it and prevent it.

The OCR may think that post-incident, an entity will be better prepared to safeguard PHI, but in reality, without support, they may find themselves in a situation that makes it harder for them to protect data.

Cybersecurity supports compliance

Healthcare organizations shouldn’t look at cybersecurity and compliance as separate elements, but rather as two concepts running parallel to one another. A strong cybersecurity program supports compliance.

The industry should develop a holistic approach to healthcare security to include administrative, physical, and technical safeguards.

As a healthcare entity, you can’t afford to neglect cybersecurity or compliance, so it’s critical to pair them together, in a secure network that protects your patients and your reputation.

Need help with compliance and cybersecurity? Contact us today to learn more.