What is HIPAA?
HIPAA stands for Health Insurance Portability and Accountability Act, in reference to the HIPAA act of 1996. It requires the Secretary of the U.S. Department of Health and Human Services to develop regulations that ensure the protection of privacy and security for certain health information. Currently, there are two rules under the HIPAA act that address these regulations: the HIPAA Privacy Rule and the HIPAA Security Rule.
The Privacy Rule
The Privacy Rule is also known collectively as the Standards for Privacy of Individually Identifiable Health Information. Its purpose is to establish national standards that regulate the protection and privacy of certain health information, including medical records and other personal health information. It provided patients the rights to privacy of their health information as well as the right to view and obtain a copy of their records and request corrections to said records.
The Security Rule
The HIPAA Security Rule establishes the regulations and standards for patients’ electronic records. Specifically, it requires that patients’ electronic records be fully secured against any illegal or unauthorized seizure or interception when it is being stored or transferred. It states that there must be proper administrative, physical, and technical safeguards in place to protect the integrity, confidentiality, and security of these records.
If left unsecured, computer networks and the information transferred within them can be vulnerable to a variety of hacks, interceptions, and other cyber threats. Some of these include:
- SQL Injection- a server-side cyber attack that gains access to the client or user’s computer through SQL servers
- XML Injection- a server-side attack that injects XML tags and data into a database
- DoS (Denial of Service)- an attack that overwhelms a system with requests to prevent it from functioning.
- Man-in-the-Middle- Intercepting legitimate communication and forging false information to the sender.
There are several measures that medical offices, facilities, and computer repair businesses can take to minimize risk and maximize data security:
- Staying up to date with the latest measures in network security. Make sure that the newest patches are downloaded and installed, that virus definitions are regularly updated, and that the firewalls are also updated as well.
- Making sure that all staff, security, and other personnel take network security seriously. Th IT department should be placed in charge of training staff on the proper security measures regarding sensitive medical information.
- Ensuring the implementation of the principle of least privilege. Use group policies and assign only authorized personnel with the file permissions to access, read, and edit the files.
- In areas where there is public access and cloud or WiFi service, make sure that there is a separate access for BYOD clients; all other access needs to be encrypted, hidden from public view, and implement WPA2 security measures to ensure the highest level of security and encryption.
- Restrict physical access to areas where medical files are kept and stored; also restrict physical access to servers. This can be done with a combination of biometrics, mantraps, and the use of physical tokens or proximity readers.
- Catalog all hardware, software, and network equipment that interact with medical files. This will help to quickly identify what equipment has been compromised before any damage can become widespread.
- Establish a chain of trust among office personnel. Again this entails only providing certain access and permissions to personnel who have been identified as trustworthy custodians of this information.
- Demand that any vendors, clients, and stakeholders understand the importance of HIPAA security standards.
By following these measures, medical offices can ensure network security and HIPPA Compliance.