One of the most targeted industries by cyber criminals is that of the healthcare industry. Healthcare providers, insurance companies, and hospitals store, create, and transmit a large amount of personal data that cyber criminals find attractive. This information can be used in ransomware attacks, to facilitate phishing schemes, or to be sold off to other online criminals. The nature of this information includes personal identifiable information (PII) such as names, addresses, contact information, medical history and more.
It is important that healthcare organizations protect their patient's data and implement secure cyber policies. To help ensure this is being accomplished, regulations like HIPAA have been instituted to hold the industry accountable. HIPAA has recently implemented a new security rule through NIST that will impact aid in securing private data.
What is HIPAA Compliance?
The Health Insurance Portability and Accountability Act (HIPAA) is a set of regulations that apply to the healthcare organization that outlines how these organizations are to protect their patient's private healthcare data. Specifically, HIPAA is concerned with "protected health information" (PHI). Examples of PHI include names, addresses, social security numbers, medical records, health plan beneficiary numbers, as well as dozens of other forms of data including anything with a unique ID number or code. This information is valuable to cyber criminals who desire to ransom this data for money or sell it to the highest bidder.
If you are a healthcare provider, healthcare clearinghouse, or in charge of maintaining health plans then you are required by federal law to comply with HIPAA. Additionally, if you are a business associate with any of these entities then you are also required to abide by certain HIPAA regulations. Any entity that is found to be non-compliant will face financial and potential legal repercussions.
HIPAA Security Rule -
The HIPAA Security Rule establishes how applicable parties are to safeguard and protect electronic protected health information (EPHI). Patients and healthcare providers are creating and sharing large amounts of data online via email, video calls, and other communication methods. This rule focuses on "protecting the confidentiality, integrity, and availability of EPHI".
NIST Special Publication Update
Early in February of 2024, The HHS Office for Civil Rights (OCR) and NIST published a final version of NIST SP 800-66. This publication provides greater guidance on how those who must comply with the HIPAA security rule can implement better controls to protect EPHI. This publication better aligns the HIPAA Security Rule to the NIST Cybersecurity Framework (CSF), a security framework that allows organizations to implement security controls in a technology neutral way. These guidelines are practical controls entities can implement to better manage and protect their patients EPHI.
CorpInfoTech Can Help!
CorpInfoTech is a managed service and security provider (MSSP) that provides cybersecurity and IT services to small-medium sized businesses. Our services include firewall management(xDEFENSE), vulnerability management(v360), security assessments, managed IT, and compliance help. For those that must comply with the HIPAA Security Rule, CorpInfoTech can help ensure compliance on time, on budget, and with tangible results. Contact us today to learn more about how we can better secure your business!
