What to know about the healthcare compliance standard
The healthcare industry generates, processes, and stores some of the most confidential and sensitive information that exists in the world today. Thus, it is crucial that dependable protections are implemented to shield this information and that potential leaks or data breaches are prevented.
These breaches can be extremely detrimental — exposing the personal information of any individual that has received medical attention. Cybercriminals use this info to cheat the healthcare system, gaining prescriptions for expensive medications or services, and even deceiving insurance companies in hopes of receiving a payout.
Furthermore, healthcare organizations and providers often have an individual’s address, employer, phone number, and payment information on file — all of which can be used by criminals to steal a person’s identity.
The Healthcare Insurance Portability and Accountability Act (HIPAA) was created to combat these privacy violations. But without continuously assessing and measuring the efficacy of their security efforts, even healthcare institutions that adhere to HIPAA can fall victim to data theft.
In this post, we’ll be discussing how penetration testing can be used by healthcare providers to strengthen their HIPAA compliance and take a deeper look at how HIPAA works.
But before we dive into these details, let’s go over some of the essentials.
As mentioned above, HIPAA stands for the Healthcare Insurance Portability and Accountability Act, a U.S. law that was established in 1996. Its primary purpose is to provide healthcare professionals with national standards for the safeguarding and proper processing of medical information.
What organizations are affected by HIPAA?
Any organization that provides medical services, and any business that works in partnership with a medical provider, is subject to HIPAA.
This includes, but is not limited to, the following:
Clinics, hospitals, medical laboratories, etc.
Psychologists, psychiatrists, etc.
Employer-sponsored health programs
Health insurance companies
What information is protected under HIPAA?
According to HIPAA definition, any “individually identifiable health information” that is stored, communicated, or relayed by a covered healthcare entity or its business associate is protected under HIPAA.
This information is referred to as “Protected Health Information”, or “PHI”.
Below are some items that would be considered Protected Health Information:
Demographic patient information
Social security numbers
X-rays, photographs, or any other form of medical media relating to a patient’s care
How are healthcare providers and businesses expected to uphold HIPAA compliance?
One of the most significant aspects of the HIPAA security rule is the legislature it provides around data use and exposure.
Essentially, HIPAA states that medical information should only be shared in one of two circumstances:
- The patient (or a legal representative of that patient) requests access to their medical records
- As the HIPAA Privacy Rule permits
The HIPAA Privacy Rule grants access to information for coordination of medical treatment, payment processing, specific insurance functions, and other operational activities.
However, even in these circumstances, stringent safeguarding practices must be adhered to at all times.
What does the HIPAA law say about data breaches and security?
Now that we’ve covered the meaning of HIPAA, it’s important to understand how it relates to computer use and electronic file sharing.
HIPAA has a technical requirements portion of legislation that focuses solely on electronic data transmitting.
This legislation states that all covered entities must do the following:
Ensure the confidentiality, integrity, and availability of all e-PHI they create, receive, maintain or transmit
Identify and protect against reasonably anticipated threats to the security or integrity of the information
Protect against reasonably anticipated, impermissible uses or disclosures
Ensure compliance by their workforce
Compliance and How Pentesting Can Help
Ensuring that your healthcare practice or business is HIPAA compliant isn’t a one-time task. In order to maintain your compliant status, you must constantly monitor, assess, and strengthen your safeguarding practices.
From training your team members on HIPAA best practices, to properly securing printed documents containing client information, to using the best available anti-virus software, data security is an on-going effort.
Pentesting is one of the most powerful methods of helping ensure HIPAA compliance. This is an effective way to identify gaps in your system, application, or network, as it currently stands. In general, this type of manual testing can uncover healthcare vulnerabilities and ensure healthcare data security.
This demonstrates the value of penetration testing for healthcare providers and business professionals who would face horrendous repercussions if their compliance became compromised.
How a Cobalt pentest can help an organization maintain safeguards for protecting HIPAA electronic protected health information (e-PHI)?
During a Cobalt pentest, the pentesters focus on testing the application for various security vulnerabilities. For example, when testing web apps this methodology aligns with the OWASP Top 10 and its Application Security Verification Standard (ASVS). While pentesters may rely on various tools for analysis, the majority of their effort is manual and serves as a complement to automated scanning. The pentesters turn their understanding of the app into creative ways to bypass security controls or break assumptions in the app’s design.
Once the test is complete, recommendations based on themes or repeated issues that were observed are provided in order to help an organization address the security vulnerabilities which were discovered and reduce the risk associated with the application.