HIPAA as a Security Framework
HIPAA, the Health Insurance Portability and Accountability Act, is a federal law in the United States that sets standards for safeguarding certain health information. While HIPAA includes provisions related to information security, it is not considered a comprehensive cybersecurity framework. Enacted by Congress in 1996, and has continued to mature over time.
HIPAA serves several purposes, including providing the ability to transfer and continue health insurance coverage for American workers and their families, reducing health care fraud and abuse, mandating industry-wide standards for health care information, and requiring the protection and confidential handling of protected health information.
HIPAA has two main sections, Title I dealing with Portability and Title II focusing on Administrative Simplification. The latter includes the establishment of a set of standards for receiving, transmitting, and maintaining healthcare information, ensuring the privacy and security of individual identifiable information.
HIPAA’s security provisions concentrate on protecting the confidentiality, integrity, and availability of electronic protected health information (ePHI). Covered entities and their business associates must implement administrative, physical, and technical safeguards to protect ePHI, such as access controls, encryption and decryption of ePHI, security incident reporting and response, and regular security risk assessments and analysis.
Although HIPAA is an essential regulation for protecting healthcare data, it does not cover all aspects of cybersecurity. It does not address threats posed by social engineering attacks or provide guidance on network security, vulnerability management, or incident response planning. Therefore, organizations that need to establish a comprehensive cybersecurity program may need to look to other frameworks or standards, such as the National Institute of Standards and Technology (NIST) Cybersecurity Framework or the ISO/IEC 27001 standard.
HIPAA can be considered as a subset of a comprehensive security framework for healthcare organizations. By incorporating HIPAA’s security requirements into a broader security framework that covers all aspects of information security, healthcare organizations can ensure that they are meeting their obligations under HIPAA while also addressing other important aspects of cybersecurity. The U.S. Department of Health and Human Services (HHS) manages and enforces HIPAA regulations through its Office for Civil Rights (OCR), which investigates complaints, conducts audits, provides guidance, and enforces penalties for HIPAA violations.
In conclusion, HIPAA is an essential law that protects sensitive healthcare information, but it is not a comprehensive cybersecurity framework. Healthcare organizations must incorporate HIPAA’s security requirements into a broader security framework to better manage their cybersecurity risk and protect sensitive patient information. The U.S. government takes HIPAA regulations seriously and has established a comprehensive system for managing and enforcing these regulations.
As with any security landscape, HIPAA violations are not immune to security breaches, on the contrary, as the cyberattacks increase in sophistication we are seeing more ePHI becoming more vulnerability, and at risk of compromise. In one of the latest journal publications (The HIPAA Journal, February 27, 2023), discusses the “MedusaLocker Ransomware” and how this group has created and run a “ransomware-a-service operation” which is being farmed out to “affiliates” who will benefit in a cut of the Ransom. The sophisticated group, used the Global COVID-19 Pandemic and the confusion which took place as a path to increased their attacks. Attached is an analysis from “Health Sector Cybersecurity Coordination Center’s HC3: Analyst Note.”
These issues that continue to plague the US Government, again, are going to rise and require more sophisticated security frameworks. When you examine the details of the “Summary of the HIPAA Security Rule” one has to ask themselves are these rules really effective. The real assumption here is that no one framework is going to solve these securities issue, but rather a combination of several frameworks (HITRUST, ISO, SOC2, NIST) which will bring a more secure posture going forward.
Author: Jed A. Reay is a retired Healthcare Practitioner and Entrepreneur with over 40 years of a board background in the, clinical arena, direct patient care, to research and application of implantable cardiac devices, to genetics, teaching, training, and Business Development Consultancy. And now taking that passion for Healthcare and apply Cybersecurity training to the protection of PHI and other security offerings to the Healthcare space.