In the digital age, the protection of sensitive healthcare information is paramount. HIPAA, the Health Insurance Portability and Accountability Act, requires organizations to implement safeguards to secure individuals' protected health information (PHI).
We see lots of organizations implementing solutions to ensure HIPAA compliance. However, often these solutions fall short on meeting the requirements of the HIPAA Privacy Rule, leaving organizations vulnerable to the repercussions of non-compliance.
So how can you be sure your security solutions are supporting your organization to be HIPAA compliant? Read on as we explore:
- HIPAA basics
- The HIPAA Security Rule and what it requires of your organization
- How and why transport layer security (TLS) alone isn’t enough to protect sensitive healthcare information
- Why two-factor authentication (2FA) is becoming an essential component of modern healthcare data protection strategies
- HIPAA checklist
- How to ensure compliance with HIPAA
Back to HIPAA basics
Who does HIPAA apply to?
Organizations who are required to conform to HIPAA are known as Covered Entities, including (but not limited to):
- Health Plans, including health insurance companies
- Company health plans
- Certain government programs that pay for healthcare, such as Medicare and Medicaid.
How does HIPAA protect patients?
The HIPAA Privacy Rule, issued by the US Department of Health and Human Services (HHS), creates national standards for the protection of individuals' medical records and other personal health information. The rule provides patients with more control over their health information and sets boundaries on the use and release of health records.
What is the HIPAA Privacy Rule?
The HIPAA Privacy Rule concerns the use and disclosure of protected health information by covered entities. It includes standards for individuals’ rights to understand and control how their information is used.
The Privacy Rule ensures individuals’ healthcare data is protected while allowing healthcare information to be shared in the delivery of high quality healthcare, and to protect the public’s health and wellbeing.
What is the HIPAA Security Rule?
The HIPAA Security Rulele protects a subset of information covered by the Privacy Rule. This subset consists of individually identifiable health information that a Covered Entity creates, receives, maintains, or transmits in electronic form. This information is called electronic protected health information, or ePHI.
To comply with the HIPAA Security Rule, all Covered Entities must:
- Ensure the confidentiality, integrity, and availability of all ePHI
- Detect and safeguard against anticipated threats to the security of the information
- Protect against anticipated impermissible uses or disclosures that are not allowed by the rule
- Certify compliance by their workforce
Is your solution HIPAA compliant?
Limitations of TLS
Many healthcare organizations rely on email and file transfer tools which utilize Transport Layer Security (TLS). However, this security measure is often misunderstood:
- While TLS does ensure the connection between mail servers is encrypted, it does not protect the content of emails themselves. This means that if any of the servers involved in delivering the email are compromised, the contents of the emails can be accessed in plain text.
- The path that an email takes from one server to another is determined by the MX settings in the DNS. If the DNS server is compromised or manipulated, the email can be redirected to a server controlled by an attacker.
- A man-in-the-middle attacker can intercept and modify emails by exploiting weak TLS implementation. Some mail servers accept any certificate without proper validation, and an attacker can strip the TLS encryption by removing the STARTTLS option during the connection negotiation. Proper server validation is only possible using the DANE - DANE adoption in the US and beyond is very low, and certificate pinning, which is labor intensive.
- Emails are stored on the recipient's mail server and, if required by law, the mail provider can be compelled to grant access to the contents of emails. The same applies to the sender's mail server if necessary.
- If an individual's email account is compromised, anyone with access to that account, including the mail provider, administrator, or an unauthorized user who gains access, could potentially access sensitive information. Due to weak passwords and lack two-factor authentication (2FA), the likelihood of this occurring is relatively high.
For these reasons, TLS does not ensure the “confidentiality, integrity, and availability of all e-PHI”, “safeguard against anticipated threats to the security of the information” or “protect against anticipated impermissible uses or disclosures that are not allowed by the rule” - all of which are core principles of the HIPAA Security Rule.
How important is two-factor authentication (2FA) in HIPAA?
2FA adds an extra layer of protection by requiring users to provide additional verification beyond a password. It ensures that even if a password is compromised, unauthorized access to sensitive information is significantly more difficult.
In our digital world, 2FA is commonplace for various online activities. To meet compliance with HIPAA, it is crucial for healthcare organizations to extend this security measure to protect ePHI.
Does HIPAA require 2FA?
HIPAA does not explicitly mandate two-factor authentication (2FA). However, if a Covered Entity or Business Associate assesses potential risks and discovers vulnerabilities that could be mitigated through 2FA, it becomes a recommended security measure aligned with the Security Standards for Workforce Security and Information Access Management.
In the simplest terms, 2FA is a very effective measure for the protection of ePHI under HIPAA.
For healthcare organizations, the below checklist is a good test of security best practice in relation to the use of email and file transfer services:
- Does your current solution enable two factor authentication to protect sensitive healthcare information shared by employees?
- Does your solution adequately address the risks of unauthorized access to ePHI beyond transport layer security?
- Does your organization ensure that sensitive information remains secure in the event of email account compromise?
- Does your solution prevent againstagaint data leaks caused by human error (i.e. emails sent to the wrong recipient, misuse of Bcc/cc)?
- Does your solution enable users to revoke access to emails?
- Does your solution provide insights into the status emails, including detail concerning who has accessed the message prior to revocation?
- Does your solution fully encrypt data at rest with advanced key-management practices, ideally zero-access?
- Is your solution aligned with evolving best practices and industry standards for healthcare data protection?
How to comply with HIPAA
In an increasingly interconnected world, healthcare organizations must go beyond the most basic requirements of HIPAA to meet compliance. Instead, covered entities must delve deeper, and examine and reevaluate the solutions they have in place for safeguarding sensitive data.
Covered Entities cannot rely solely on transport layer security to protect ePHI. Solutions must ensure emails are protected in transit and at rest with advanced encryption, advanced key-management practices, and tools to prevent human error.
The use of 2FA is integral for protecting against the threats and vulnerabilities within email systems. In fact, 2FA not only enhances data security, but reinforces an organization's commitment to safeguarding sensitive patient information.
It is important to remember that HIPAA compliance is a multifaceted effort and requires a comprehensive approach. While 2FA is not explicitly mandated by HIPAA, it aligns with the evolving expectations for data protection in the digital landscape.
Consultation with legal and compliance experts is advised to ensure full compliance with all relevant HIPAA provisions and to implement robust security measures to protect PHI effectively.
Last updated - 02/06/23