You may have a fitness tracker that is connected to an application on your phone. The app sends data to a server that your primary care physician (PCP) can also access. Your PCP can send this data to business associates for such purposes as billing, decision making, diet plans, fitness plans and other health-related purposes. In this web of interconnected devices, we have a smart watch, a phone, a server, a PCP’s laptop, and devices used by business associates. With all this interconnectivity, what can be done to protect our information?
The Health Insurance Portability and Accountability Act (HIPAA) was adopted to protect the health data of US citizens. The regulation applies to Covered Entities (CE), Business Associates (BA), and Hybrid Entities (HE). HIPAA applies to entities that manage health plans, health care clearinghouses, and any health care provider who transmits health information, electronic or not. HIPAA does not apply to individuals.
In the example above, the parties subject to HIPAA would be the PCP, the business associates contracted to perform additional work using your health information, as well as the devices used by those entities (laptops, USBs, etc.).
But what about the fitness tracker and phone? These interconnected devices hold and transmit data that is regulated under other standards and laws, such as the California Consumer Privacy Act, General Data Protection Regulation, State Breach Notification Laws, and various state requirements around cybersecurity specific to each state. These laws and regulations focus on consumer privacy beyond just health care information.
For IT Security professionals, data security and protection is important, both when data is stored and when it is in transit.
As more health care devices come into use, the companies and individuals developing and testing these devices need to take new risks into account and consider where HIPAA might apply. Common Security Risks around the interconnectivity of medical things (IoMT) include:
- Health and Safety of the individual
- Regulatory compliance with state and federal law
- Data privacy and protection
- Unauthorized access to data (i.e. accessing data you’re not privileged to)
- Device vulnerabilities
- Unintentional access to other corporate assets (i.e. an employee accidentally accesses something they’re not authorized for)
Organizations that interact with electronic protected healthcare information (ePHI) should be vigilant regarding their current systems and processes and their vulnerabilities. Your organization may have strong access controls, but a sophisticated social engineering attack can bypass any strong access control. An organization may have a highly advanced change management process, but if backup and system resiliency controls are weak, is could lose all the changes made over the last day, week, or month if information isn’t backed up properly or a ransomware attack occurs. Your organization may invest in different security and network monitoring controls, but if you don’t have a data classification scheme, the security services may not be adding as much value as you think.
Here are some controls that should be in place to protect ePHI:
- User training and awareness
- Access controls (logical, physical)
- Segregation of Duties enforcement (least privilege, need-to-know, role responsibilities)
- Change Management (authorization of changes, verification of system compatibility)
- Encryption implementation for critical data and communications
- Anonymization, pseudonymization, and de-identification controls
- Backup and recovery procedures
To protect their assets, companies that work with health care data should provide cybersecurity training and information for employees while also having the right security protocols in place if a data breach occurs. Here are some questions your company should be asking your IT and/or cybersecurity team:
- Do our employees get appropriate training and information about cybersecurity?
- Do we have mechanisms in place, such as multi-factor authentication, to mitigate the exposure when our people make mistakes?
- Do our web applications, which have back-end access to some of the most sensitive data in our organization, have the appropriate defenses in-front of them to block the most common of web application security risks?
- Do we have the appropriate skills in-house to properly secure modern web applications?
- Does our business have a layered strategy for security or do we rely on one or two magic bullets to solve all of our security needs?
- Does our organization know what the latest HIPAA security considerations are around the data that we come in contact with on a regular basis?
- Does our organization know what devices are connecting to our network on a regular basis? What about any unrecognized devices?
For more information about health care cybersecurity, contact us. We are here to help.
Authored by Hunter Sundbeck, CDPSE, CISA
One of the fastest growing cybercrimes out there, ransomware, hits the health care industry particularly hard because in…