HIPAA technical safeguards mainly address technical controls that organizations should implement to protect ePHI. Let’s look into those HIPAA requirements and how to address them
Protecting electronic Protected Health Information (ePHI) is an imperative responsibility for any organization entrusted with its management. The HIPAA Security Rule requires organizations to protect ePHI with administrative, technical, and physical safeguards.
Previously, we provided an overview of the HIPAA administrative and physical safeguard requirements in our blog posts. In this article, we are walking through the technical safeguards of the HIPAA Security Rule.
The Security Rule (§ 164.304) defines technical safeguards as “the technology and the policy and procedures for its use that protect ePHI and control access to it.” In short, the HIPAA technical safeguards include the following controls:
Thus, to secure electronic data and comply with HIPAA regulations, covered entities should utilize these security measures and apply them to their technologies and business processes. It is up to the organization to decide how to address these requirements.
Carefully regulating access to ePHI is the duty of every HIPAA-covered entity and business associate. To this end, the HIPAA Security Rule requires implementing technical policies and procedures to ensure that only authorized individuals or services are granted access rights. The access control requirements include several specifications:
Unique user identification. Organizations must assign a unique username and account ID for each workforce member to access the network and various systems. This ensures that every action your workforce members take on the network, from logging in to accessing files, can be traced back to their identity. It helps maintain accountability and security by preventing the use of shared or group accounts, which could lead to unauthorized access or difficulties in tracking user activities.
Emergency access procedure. Establish procedures for obtaining access to ePHI in case of an emergency. Ensure the procedures clearly identify plans and roles within the plan.
Automatic logoff. Implement electronic procedures that terminate an electronic session after a predetermined time of inactivity. Configure idle session timeouts on all systems and applications, including workstations. Although HIPAA doesn’t specify a precise duration for idle sessions, the best security practice is to configure the timeout after 15 minutes or less.
Encryption and decryption. Implement strong and reliable mechanisms, such as AES-256, to encrypt and decrypt all ePHI stored. This should include databases, mass storage, workstations, servers, etc. Unencrypted ePHI is vulnerable to unauthorized access that may result in data breaches. It is also important to establish procedures for managing encryption keys. For example, if an encryption key is lost or corrupted, the organization may lose access to valuable data.
More about the access controls read in one of our articles Reinforce the Weakest Security Link with Access Controls.
HIPAA technical safeguards also include implementing mechanisms that record and examine information system activity. All systems that store and process ePHI must be audited. For this, implement a logging policy to ensure that all access to ePHI is logged. Apply an automated detection of suspicious events solutions that include Security Information and Event Management (SIEM), host-based and network-based Intrusion Detection and Prevention Systems (IDPS), and File Integrity Monitoring (FIM).
It is important to set up event alerts to notify appropriate staff when event monitoring tools detect events that require investigations or corrective actions.
Ensuring data integrity under the HIPAA Security Rule means implementing policies and procedures to protect ePHI from improper alteration or destruction in an unauthorized manner. For this, perform regular risk assessments to address the risk of unauthorized or unintentional destruction or alteration of data. Implement mitigating controls like checksum verifications, digital signatures, monitoring and alerting, data backups, etc.
Implement procedures to verify that a person or entity seeking access to ePHI is the one claimed. These include implementing strong authentication for any access to ePHI, so configure all your systems to require authentication prior to displaying any data.
One of the most robust security mechanisms used to confirm the identity of an individual is multi-factor authentication (MFA). Therefore, enforce MFA on all externally accessible systems that store, process, or transmit ePHI. By enabling MFA, you provide a combination of two or more authenticators to verify the user’s identity before providing access. In short, MFA works by requiring two or more of the following authentication methods:
Enabling MFA minimizes the chances your ePHI would fall into the wrong hands.
Transmission security safeguards protect ePHI that is being transmitted over an electronic communications network. HIPAA Security Rule provides the following requirements for this:
Integrity controls. Implement security measures to ensure that ePHI is not modified without detection. For this, use secure transmission protocols that provide integrity protection, such as HTTPS, SFTP, etc., on all connections where ePHI is transmitted.
Encryption. Implement secure encryption protocols on all internal and external connections where PHI is transmitted. Ensure that only secure versions of protocols (e.g., TLS 1.2, AES-256) are used.
Train your employees on the importance of utilizing approved secure communication methods when transmitting ePHI. Deploy security tools like Data Loss Prevention (DLP) to regulate data flows and deter the use of insecure channels. Ensure robust authentication and encryption for your wireless network. At a minimum, employ the WPA2 protocol, and ideally, require all wireless users to authenticate through the 802.1X protocol against a user directory.
Planet 9, a San Francisco Bay Area-based organization, employs seasoned professionals with years of experience working in the healthcare industry who can help with addressing all HIPAA requirements. A typical approach consists of the following process:
Depending on the client’s internal resources’ expertise and availability, Planet 9 can implement the entire road map, position the client to execute the road map on their own or supplement the clients’ team.
You can also utilize the Planet 9 HIPAA Vitals application. The HIPAA Vitals assessment is based on several reputable sources including the Office of Civil Rights (OCR) Audit Protocol, NIST 800-66 Rev. 1, HIPAA Security Series issued by the Department of Health and Human Services (DHHS), and years of experience implementing HIPAA requirements in different organizations by our professionals. The assessment scope is driven by the technical profile and other factors specific to the organization.
To stay updated on the recent cybersecurity and compliance-related topics, keep reading our blog. Feel free to contact the Planet 9 team for help with your security and compliance challenges. We’ll be happy to assist!