Why WhatsApp isn't HIPAA compliant

Digital certificates as part of the security and data protection strategy

Keeping personal data secret and secure is immensely important in the healthcare sector. It is now 21 years since Title I of the Health Insurance Portability and Accountability Act (HIPAA) was passed in the United States to provide health insurance coverage for workers and families. In 2003, Title II was established as the national standard for electronic health care transactions and national labeling requirements for utilities, health insurers and employees. At this time, a number of data protection and security rules for the protection of electronic health data (e-PHI) were defined.

A few years ago, the US Congress and the Department of Health and Human Services (HHS) established the Health Care Industry Cybersecurity (HCIC) Task Force in the Cybersecurity Act of 2015. The reason was growing concerns about cybersecurity risks and threats to healthcare. Only recently did the Task Force present its findings in a very detailed manner Report on Improving Cybersecurity in the Health Care Industry released. The report emphasizes the urgency of the recommended actions in the face of the growing number of complex cyber threats. The health care system must implement these measures promptly to protect systems and patients.

The healthcare ecosystem is extremely complex, with a major focus on services, care, and products aimed at patients and consumers. Just imagine all of the interactions for yourself at just one doctor's appointment. Not to mention all of the data and records that are generated in the process. Health facilities and health organizations are part of the digital transformation. The associated promise: better patient care and better service. Today, patient files are almost always completely digitized, patient control and data acquisition are now also fully automated. It is only logical that the risk of cyberattacks increases exponentially with more digital data and processes.

Healthcare facilities and organizations are a worthwhile target, if only because of their highly sensitive patient files and the potential damage they may cause. They are also considered to be easily vulnerable because a large number of people and employees connect to all possible devices and accessible networks.

In addition, older, possibly more vulnerable devices are still in use. For example, because they are difficult to update, expensive to replace or very valuable for daily patient care. A recent headline-grabbing example was the WannaCry ransomware attack, which targeted a known Microsoft Windows vulnerability. Among other things, WannaCry targeted numerous health institutions and caused considerable damage in some countries. This attack could have been prevented with a simple patch.

While the work of the HCIC Task Force and the publication of the Cybersecurity Report formulate a variety of guidelines aligned with the NIST Cybersecurity Framework, HIPAA's technical safeguards must be part of the cybersecurity strategy of any healthcare organization. This recently published article by Health IT Security Implementing HIPAA Technical Safeguards for Data Security, also offers a good overview of technical security measures for applications in this country. And what happens if they are missing.

What is meant by technical security measures?

According to the definition of the HIPAA Security Rule, technical security measures are the technology and the guidelines as well as procedures for their use, which secure electronically protected health data (e-PHI) and control access to it.

The technical security measures according to the HIPAA security rule include:

  • Access control - A covered entity must implement technical guidelines and procedures that only allow authorized persons to access e-PHI.
  • Security checks and controls - A covered entity must implement hardware, software and / or procedural mechanisms to record and investigate access and other activities in information systems that contain or use e-PHI.
  • Integrity Controls - A covered entity must implement policies and procedures to ensure that e-PHIs are not improperly changed or deleted. Electronic measures must be taken to confirm that e-PHIs have not been improperly modified or deleted.
  • Transmission security - A covered entity must implement technical security measures that protect against unauthorized access to / access to e-PHIs that are transmitted over an electronic network.

Why implement technical safeguards according to HIPAA

Failure to implement security measures under HIPAA is not an option for a healthcare organization / company. Technical security measures help to prevent security-relevant incidents. Healthcare companies must also be HIPAA compliant. For example, when an auditor checks them.

Is that the guarantee that no security-relevant event will occur? No. But adhering to HIPAA guidelines and implementing IT security best practices prove that the company in question is HIPAA compliant when a security incident occurs. This may protect you from heavy fines in the event of a data breach.

Digital certificates

The HIPAA Security Rule does not define any specific requirements for a particular type of technology. Each health organization can implement its own security measures to meet the standard and specification. Certification bodies such as GlobalSign assign digital certificates an important role when healthcare institutions and organizations address technical security measures according to HIPAA. The key terms: unique user identification, encryption and decryption, authentication and integrity controls.

Best practices in IT security start with identity. When every “thing” has an identity, everything can be more secure. People, devices, services, applications and all the things that connect to the Internet must have an identity in order to encrypt communications and transactions, to authenticate themselves for a service, to authorize proper access and to prove their integrity. Digital certificates offer this identity and the trust that goes with it. They enable many security applications that are part of the technical security measures according to HIPAA:

  • Web and server security - Prove that your public and private websites and servers are legitimate and protect and encrypt data transmissions and transactions with SSL / TLS certificates.
  • User and device authentication and access control - Implement strong authentication without burdening end users with hardware tokens or applications, and ensure that only authorized users, computers and devices (including mobile devices) have access to authorized networks and services.
  • Document signing - Digital signatures with trustworthy digital certificates replace handwritten signatures and create a tamper-proof seal to protect your patient files and other documents that must be kept safe and secret.
  • Secure email - Digitally signing and encrypting all internal e-mails reduces the risk of phishing and data loss through clear verification of the origin of the message. This allows recipients to differentiate between legitimate messages and phishing emails and ensures that only intended recipients have access to the email content.

There is no doubt that healthcare security is as complex as necessary to protect sensitive data. Regulations such as HIPAA and HCIC Task Force guidelines provide an excellent framework and recommendations for establishing best practices.

#Netzpalaver #Globalsign