HIPAA Security Rule

Image generated by DALL-E

Written by Nicholas Howland on 12/13/2024

What Are the HIPAA Security Rules

The Security Rules are a set of guidelines that help improve the security of systems and patent data within healthcare. HIPAA along with PCI are the two most common compliance frameworks because everyone gets sick from time to time and payments always need to be processed. PCI covers payment card industry systems such as credit card machines and other financial IT systems.

I will be focusing on the Security Rules which are intended to improve security of systems through encryption, auditing, authentication, and access controls. Although this document is relatively short it provides a good jumping off point to ensure that providers and covered entities are compliant. Its the law so these controls are not negotiable in a court of law but outside of the healthcare setting they are still good to implement.

I will be focusing on the following document: Technical Safeguards PDF (If it gets taken down or moved on the HHS website I have copies and mad google skills feel free to email me or practice your own googlefoo) which does not cover password requirements or granular control details but serves as a good jumping off point to determine if compliance is being met.

Here are some other resources for HIPAA compliance including a Security Rule Toolkit

• HHS Security Rule Homepage
• HIPAA Security Rule Tooklit from NIST

Something that is not explicitly mentioned are security updates and patching because its part of the best practices overall. Carefull planning must be done to replace legacy systems but the sooner they are replaced the less likley they are to fail, be compromised, or crash and burn in some other unexpected way.

Overview of Controls

• Access Control: “Implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights as specified in § 164.308(a)(4)[Information Access Management].”
• Audit Controls: “Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information.”
• Integrity Controls: “Implement policies and procedures to protect electronic protected health information from improper alteration or destruction.”
• Person or Entity Authentication: “Implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed.”
• Transmission Security: “Implement technical security measures to guard against unauthorized access to electronic protected health information that is being transmitted over an electronic communications network.”

Access Controls

There are three main components to the Security safeguards that end up transferring well to other industries.

1. Unique User identification
2. Emergency Access procedures
3. Automatic Logoff
4. Encryption and Decryption

Unique User Identification

Unique user identification is achieved through creating unique user ID's for each accessor of a system that contains PHI so that if an account is compromised that access can be revoked and an assessment of what data was stolen or corrupted can be done. This is important when it comes to both the investigation and response phases of an incident that affects the integrity and confidentiality of data.

Emergency Access Procedures

Emergency access procedures should be put in place in the event of emergencies, this could be a temporary access code that can be given to access a patent file in the event of a medical emergency. A very very very very important set of qualifying questions that set emergency access procedure apart from a vulnerability are; Could an attacker easily use this to view and edit records? Could apathy lead to this feature being abused? If someone gained access to the network would they be able to brute force or enumerate the system to discover an emergency access feature and gain access without any credentials? Is it possible to change the emergency access process in the event it gets compromised?

Automatic Logoff

Automatic logoffs are one of the cruxes of many people when it comes to computer security. There is a stipulation that allows for leeway in operation rooms or surgical settings when an automatic logoff put the patent at undue risk and where the automatic logoff is not needed. This control basically says wherever patent data exists in a form that is easily readable by unauthorized healthcare professionals an automatic logoff must exist to reduce the chances of someone being able to view or alter protected healthcare information.

Encryption and Decryption

The last access control in this section is encryption. This pertains to data at rest and in motion over the network. In general the best practice for data across the network is to encrypt ( not encode ) the data on the device after it is entered into the system and before it is transmitted onto the network. An example flow would be: Medical Professional enters data into a system -> Data exists in the form field -> Once saved the data is encrypted or tokenized before it is transmitted over the network using TLS/SSL -> The data is sent over the network encrypted and protected from interception or alteration in transit -> when access to the data is required then proper authorization and authentication must occur to gain access to the data. Ideally it would be in an encrypted form before it enters the database but having the database encrypted itself may satisfy this rule.

These access controls stop attackers from

Audit Controls

This is a short one but very important when trying to figure out what was stolen or altered in the event of an incident. This means logging access to PHI systems using that handy Unique user identification number required in Access Controls, if there are concerns about privacy in the organization a naming scheme and reference model can be put in place to ensure that the anonymity of username to real user correlation is harder to determine. This could be achieved by assigning users usernames and profiles that are not easily identifiable like AB123 or DH482 and then making sure that it is recorded on paper or in another method that can easily be referenced in the event an investigation (law enforcement or otherwise) needs to be conducted. This also can help stop compromised accounts from doing further damage when they get compromised.

Integrity Controls

These controls are meant to maintain the integrity of healthcare records through "mechanisms to corroborate that electronic protected health information has not been altered or destroyed in an unauthorized manner." Ideally Audit and Access controls need to be put in place in order to for integrity controls to be put in place. However off server backups and database mirroring are another way to implement integrity of data. This is because changes can be audited by taking a look at the differences in the backups.

The subsection "Mechanism to Authenticate Electronic Protected Health Information (A) - § 164.312(c)(2)" also brings up the point that once there is a backup or integrity control in place there should be a way to corroborate that the data was not changed that is in place on the system that is in use. This might look like a server verifying that records entered in the past have not been changed. This could also look like digital signatures on files that exist in the system.

Off topic tangent

Going back to access controls and ensuring that there are proper procedures in place for access to systems through user access permission sets that allow for reading and writing to the proper datasets. For example; Should the receptionist be able to prescribe medicine? No. Should they be able to update allergy information? Yes. So this becomes a new role in the access control schema. This is very easy to say but can take some consideration and collaboration between the information security team, human resources department, and management to create and provision appropriate group permissions in a large environment.

Person or Entity Authentication

This involves the authentication of covered entities, so there are a couple of different players when it comes to healthcare data covered entities and business associates. Business associates are the groups, organizations or businesses that you do business with such as another hospital in the network insurance provider or someone else who gets access to records. A covered entity is a broader term that encompasses software providers, file storage services, cloud platforms claims processing services, data analysis services QA services, billing services or any other service that may have direct or indirect access to patent data. This section states that the person or entity requesting access to records or data about patents must be verified in some way it is meant to be a way to prove that whoever is asking for records is who they say they are. This is commonly done with MFA tokens or Biometric authentication.

Transmission Security

This control is the control that ensures integrity of data as it traverses the network and ensures that data remains private through encryption. When data is encrypted there are methods in place, in standard encryption schemas and protocols, that prevent corruption or changing of records as it passes over or through network nodes. There is no one standard encryption technology that is required to be used over the open internet when transferring data to covered entities but instead it is just required that it is encrypted, this allows for interoperability of systems and flexibility of what technology is used by healthcare providers and covered entities.

Conclusion

By keeping these design principles in mind in the system design and development phases greater security can be accomplished through well established principles. By using Integrity, Access, Audit, Authentication and Encryption controls the risk is greatly reduced to healthcare information and the private health information stored.

A Rebut Against Apathy

We hear about data breaches every. single. day. or at least once a week. Do you know what happens every single day as well? People get surgeries, babies are born, people pass on, and someone finds out a lump is just a fatty mass. All of that is new information and is just now being entered into a system and it can be life saving. By caring about protecting these peoples information you help stop that breach and leak of personal information to people who care less than nothing about what happens to the people who's data was stolen. Protecting the innocent still matters, at least to me.