0

A Guide to HIPAA Compliance

A Guide to HIPAA Compliance

How iStorage can help

The Health Insurance Portability and Accountability Act (HIPAA) sets the standard for patient data protection. HIPAA applies primarily to covered entities (treatment, payment and operations providers in healthcare). It is also applicable to business associates – a person or business that provides a service, function or activity for a covered entity that involves the business associate having access to protected health information (PHI) maintained by
the covered entity. Business associates can include lawyers, accountants or cloud service providers (CSPs), as long as they are involved in creating, receiving, maintaining or transmitting PHI.

Compliance is easier said than done. Healthcare institutions collect a vast and ever-growing amount of data, including patient records, health card numbers and radiologic images. Protecting all this data can be challenging for large healthcare institutions when sharing data with remote employees, with other departments or with other organisations. Many lack a centralised management of systems and data, losing out on full visibility and control of
data. As a result, healthcare organisations suffer the looming threat of non-compliance. Common HIPAA breaches include unauthorised disclosures and misuse of patient records, disclosing to third parties more than the minimum necessary PHI and lack of administrative or technological safeguards for PHI.

To ensure adherence to the various HIPAA rules and safeguards, health organisations must have appropriate physical, network and security measures in place to protect PHI at rest and in transit and prevent and detect unauthorised access to PHI. At iStorage, we have designed and developed our products and solutions to assist our clients in the healthcare sector meet industry regulatory standards.

The importance of encryption

To understand the importance of encryption, it is essential to first understand the value of PHI. Unlike credit card information or social security numbers, PHI, which is made up of one’s personal health history, cannot be changed. As a result, PHI sells for as much as US$363 in the black market, compared to credit card information and PII that sell for US$1-$2. It is not surprising then that there was a whopping 80 per cent increase in
the number of people affected by health data breaches from 2017 to 2019*.
In fact, IBM’s Data Breach Report found that healthcare is the most expensive
industry for a data breach at USD 6.45 million.

Data encryption renders stored and transmitted data unreadable and unusable in the event of theft. Therefore, if a hacker obtains encrypted PHI, it will be of no use. Furthermore, if an encrypted device, such as a USB flash drive or hard disk drive, is lost or stolen, it will not result in a HIPAA breach for the exposure of patient data. HIPAA’s Technical Safeguards require PHI to be encrypted to NIST standards, which calls for the use of Advanced Encryption Standard (AES) 128, 192 or 256-bit encryption. All iStorage devices, which include the USB flash drive range, HDD/SSD range and cloudAshur encryption module, have an on-device crypto-chip offering real-time AES-XTS 256-bit hardware encryption with FIPS PUB 197 validated encryption algorithm.

For ultimate security, going above and beyond HIPAA requirements, the datAshur PRO² and the diskAshur PRO² range, as well as the cloudAshur encryption module, are the only drives to feature a Common Criteria EAL4+ ready secure microprocessor, which employs built-in physical protection mechanisms, designed to thwart an array of cyber-attacks, such as side-channel attacks.

Backing up valuable data onto a PIN-authenticated, encrypted hard-disk drive can save healthcare service providers the trouble of losing access to important information during a ransomware attack and can also be a means to archive medical records in an encrypted format for at least six years, in accordance to HIPAA.

Another HIPAA Technical Safeguard is employing network or transmission security that ensures HIPAA compliant hosts protect against unauthorised access to PHI. This safeguard addresses all methods of data transmission, including email, internet, or private networks, such as a private cloud. How can this be achieved?

Controlling access to data

Confidential information stored on a local computer or drive, sent via email or file sharing service and shared in the cloud should be securely encrypted. If the device is lost or stolen when employees transport files or work out of the office, the datAshur PRO² and the diskAshur PRO² range allow organisations to avoid the risk of their data being accessed or viewed. The drives are only accessible by entering a unique 7-15-digit PIN, preventing unauthorised access to the data stored on the device.

The brute force limitation feature means the User PIN is deleted if entered incorrectly a designated number of times and the drive can only be accessed by entering the Admin PIN to reset the User PIN. If the Admin PIN is entered incorrectly a certain number of times, the encrypted encryption key is deleted along with all data previously stored in the drive.

When power to the USB port is turned off, or if the drive is unplugged from the host device or after a predetermined period of inactivity, the drive will automatically lock to prevent unauthorised access. The datAshur PRO² can also be configured as a read only (write protect) device to ensure the data is not illegally modified. The technical safeguards of HIPAA require access control allowing only for authorised personnel to access PHI. How can this be upheld when sharing data in the cloud?

HIPAA and the cloud

A common concern when sharing confidential information in the cloud is security and, by extension, liability. Who is liable for data breaches in the public cloud? A CSP is classed as a business associate under HIPAA, even if the PHI shared is encrypted and the decryption key is not provided, meaning the CSP must meet HIPAA compliance obligations. When using the public cloud covered entities must enter a business associate agreement (BAA) with the CSP and a service level agreement (SLA) can be drawn to address specific responsibilities regarding data protection and security

In terms of security, the level of encryption used by most cloud service providers meets the minimum standard demanded by HIPAA. However, this does not necessarily mean the CSP is HIPAA compliant. For example, Apple averts culpability, clearly stating in its terms and conditions: “If you are a covered entity, business associate or representative of a covered entity or business associate (as those terms are defined at 45 C.F.R § 160.103), You agree that you will not use any component, function or other facility of iCloud to create, receive, maintain or transmit any “protected health information” (as such term is defined at 45 C.F.R § 160.103) or use iCloud in any manner that would make Apple (or any Apple Subsidiary) Your or any third party’s business associate.”

Another important factor to consider is control of the encryption key. Granted, most CSPs will encrypt their customers’ data and some even offer a key management system service, which allows customers to manage their encryption keys. However, the encryption key is stored in the cloud and thus accessible to hackers and cloud staff – much like leaving your house key under the doormat that half the neighbourhood knows about.

With cloudAshur, each authorised user will have a copy of the encrypted encryption key stored physically within the PIN-authenticated cloudAshur encryption module. Using cloudAshur KeyWriter, all critical security parameters are copied, including the randomly generated encryption key and all PINs, between the Master cloudAshur module and as many Secondary cloudAshur modules as required. This allows secure and instant collaboration in the cloud between authorised users, as well securely sharing encrypted files via email and file transfer services.

Multi-factor authentication is also highly recommended as a best practice for HIPAA compliance. Although not mandatory, the HIPAA Journal advises it’s “the best way to comply with the HIPAA password requirements.” If a hacker obtains the cloud user’s credentials, the breach will go unnoticed to the CSP as it won’t be able to decipher between a legitimate user from an attacker. The cloudAshur encryption module increases security measures to an unprecedented five-factor authentication, as the encryption key is kept away from the cloud.

What if the CSP is willing to enter a BAA, such as Microsoft? Although Azure or OneDrive can be used in a way that satisfies HIPAA Rules, Microsoft will accept no responsibility for HIPAA violations caused as a result of the misuse of its services. As Microsoft explains, “Your organisation is responsible for ensuring that you have an adequate compliance program and internal processes in place, and that your particular use of Microsoft services aligns with HIPAA and the HITECH Act.” The same is true with many CSPs. CSPs will not accept liability for misuse of their service/platform or misconfigurations by healthcare employees. It is therefore the responsibility of the covered entity using the service to ensure that HIPAA Rules are followed.

Gaining visibility and control of data

To avoid a HIPAA violation, cloud accounts must be monitored to ensure that PHI is not being accessed by unauthorised individuals. Administrators should delete individuals when their role changes and they no longer need access to PHI or when they leave the organisation. This level of management can be attained using the cloudAshur Remote Management Console.

Administrator capabilities – such as temporarily disabling or resetting encryption modules (storing the encrypted encryption key to access data stored in the cloud), restricting file types, encrypting file names, viewing user’s log files, displaying user’s location, as well as geo-fencing and time-fencing capabilities – will all contribute to an efficient oversight of data.

Having full visibility of PHI shared will be useful if a patient requests to obtain a copy of their health records, which must be provided within 30 days – a right outlined in the HIPAA Privacy Rule. In the event of a breach, the HIPAA Breach Notification Rule requires breach notifications to include the nature of the PHI involved, the unauthorised person who used the PHI or to whom the disclosure was made (if known), whether the PHI was actually viewed or acquired (if known) and the extent to which the risk of damage has been mitigated. Gaining visibility and control of data. Using the cloudAshur Remote Management Console, Admins can view log files, revealing when files have been accessed or modified and by whom. This will help adhere to the technical safeguard of HIPAA that requires access control, which includes audit reports or tracking logs that record activity

HIPAA compliance encompasses a number of obligations. Such is the case, that a HIPAA Compliance Officer is needed to ensure privacy policies to protect the integrity of PHI are enforced. Healthcare organisations that violate HIPAA Privacy and Security Rules are subject to hefty fines imposed under the supplementary Health Information Technology for Economic and Clinical Health (HITECH) Act, regardless of whether the violation was inadvertent or resulted from wilful neglect. Simply put, excuses will not be accepted. Failure to comply can also result in criminal charges and civil action lawsuits being filed should a breach of PHI occur.

The high black-market value of health data means the industry will likely never be free from the attention of cyber criminals. Healthcare providers must do everything they can to build a resilient shield to defend themselves, their equipment, and most importantly their patients against any form of digital incursion. A two-pronged strategy which combines regular backups with hardware encryption should be an essential component of any digital hygiene plan – with the right equipment it is easy to introduce, easy to administer, and inherently secure.

Healthcare organisations need to confirm they have implemented all the appropriate safeguards to protect PHI in transit and at rest and prevent unauthorised disclosures, if they are to be HIPAA compliant. The datAshur PRO² and the diskAshur PRO² will provide a secure back up of encrypted data, accessed only those authorised with a PIN. The cloudAshur can be used to encrypt data in the cloud or locally on a PC or Mac, as well as encrypt files shared via email or file sharing services. Using the cloudAshur Remote Management Console, healthcare organisations can have a holistic view and full control of PHI shared, helping keep PHI confidential, meet HIPAA compliance and gain patients’ trust.