Figuring Out if Your Company’s Software is HIPAA Compliant
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a U.S. legislation aimed at ensuring that all medical patient private data is kept safe, secure and protected. HIPAA is enforced by the U.S. Department of Health and Human Services (HHS), and specifically, their Office for Civil Rights (OCR) division. HIPAA requires all professional enterprises (regardless of the type) that deal with the confidential information of medical patients to comply with HIPAA regulations by instituting certain safeguards and measures to protect patient data. This includes provisions to safeguard the privacy, storage and electronic exchange of private health information. Such information is termed Protected Health Information (PHI), and, while similar to Personally Identifiable Information (PII), constitutes private health information that relates to a specific patient.
Prior to the establishment of HIPAA, there were no set, national (federal) laws associated with protecting patient data in the modern landscape of the Information Age and evolving technological systems. As electronic storage/transmission systems were utilized more - and with the increase of data criminals, identity theft and cybercrime - HIPAA was passed to make sure that companies dealing with medical information took due diligence to protect their patient’s confidential information. It is, thus, crucial for companies to know whether their enterprise falls under the legislative umbrella of HIPAA, since the regulation requires security best practices to be followed in order to ensure the privacy of all patient PHI. That said, any and all covered entities (health care provider, health plan and/or health care clearinghouse) that deal with, transmit, store or exchange any private information that can identify a medical patient (PHI) must follow the strict guidelines defined by HIPAA.
PHI can include medical records, credit card numbers, birthdate, social security number, first and last name, address, etc. Failure to follow industry-standard, best practices may result in a data breach, which can be punished by hefty fines and other penalties. For example, according to Becker’s Hospital Review (2016), the first seven months of 2016 saw the Department of Health and Human Services settling 15 million dollars in claims. Additionally, according to Melamedia LLC, almost 175 million people were affected by the 1,996 HITECH (Health Information Technology for Economic and Clinical Health) breaches that occurred in 2017, up until July 17 (Health Information Privacy/Security Alert, 2017). Also, according to Melamedia LLC, while the primary cause of data breaches was theft of computing hardware, the greatest vulnerability that was exploited was health IT networks (HIPAA And Breach Enforcement Statistics). Thus, withstanding HIPAA’s privacy and security audits is of the utmost importance for organizations that handle private, patient information.
It is very significant and important to note that not only “medical organizations” (i.e. hospitals, clinics, consultants, private practices, etc.) are required to follow the guidelines stipulated by HIPAA, but all business associates working with covered entities that handle private patient data (including data that doesn’t, at first glance, appear to be “medical data”) - that is, all data that can identify a patient - must follow certain rules and ordinances of HIPAA, and must ensure data privacy when working with covered entities under a contract. It is also important to note that HIPAA does not only pertain to the oral transmission of confidential, patient information, but also pertains to software systems, computers, mobile devices, electronics, networks, cloud servers, etc. that store, transmit and exchange patient data. This is important since most modern medical enterprises utilize Information Technology as their underlying foundation for operational management, data storage, and communications.
Determine if Your Company is Using Customized Software or Pre-Built Solutions
When it has been determined that a company falls under the legislative umbrella of HIPAA regulations, the next core determination to make is whether the enterprise’s software IT infrastructure is composed of pre-built software solutions or customized software. Though the ultimate outcome should be the same (compliance with HIPAA regulations) when all ordinances are followed, the route to compliance is typically different. This is because customized software differs from pre-built solutions in many ways. While pre-built solutions are made by developers to offer certain functionalities across-the-board for a variety of companies, custom software uses an enterprise’s specific requirements to build a unique application that has a particular set of modules, systems, functionalities and components. The unique nature of custom software makes such applications harder to assess when it comes to determining whether they are completely HIPAA compliant.
Custom Software Will be Harder to Confirm
Determining whether a software system is compliant with HIPAA regulations necessitates having thorough knowledge of the application’s security mechanisms and inner workings, along with testing the application to assess whether any critical vulnerabilities exist that could result in a data breach. Per the above, pre-built software is easier to test and often easier to obtain documentation to. Additionally, security researchers have often conducted security testing on pre-built software since such applications are typically used by a number of companies, while custom software - which may be used by only one company - may not be well-documented or tested, and thus, may need special security testing and auditing by a professional.
Pre-Built Solutions Will Likely Include a HIPAA Compliance Claim
Typically, it is easier to determine whether pre-built software solutions (from a third party) are HIPAA compliant due to another reason - such software suites often include a HIPAA-compliance claim. This usually means that the software system was developed with security in mind, and, specifically, was developed to meet the stringent regulations set forth by HIPAA itself. It is, however, very important for enterprises to remember that, ultimately, the responsibility falls on the business itself to ensure that the software system is truly HIPAA compliant regardless of whether it is claimed to be by the vendor or third party.
Understand Which Portions of HIPAA Directly Apply To Your Software
HIPAA itself is composed of a variety of rules that typically apply to the oral communication of private patient data, and the electronic storage/transmission of such data. The two most important rules associated with HIPAA’s regulations are the Privacy Rule and the Security Rule, though there are other rules in the Act (i.e. the Enforcement Rule, the Omnibus Rule, etc.). It is important to recognize which rules in the Act apply to software/computer systems, and how they apply.
Most Technology Related Factors Fall Under the Security Rule of HIPAA
Per the above, when it comes to software/computer systems and electronic media, the Security Rule is HIPAA’s (the Act’s) rule that is most applicable. The Security Rule determines that all electronic Protected Health Information/e-PHI (e.g. mental health history, health payments, healthcare history, etc.) is managed with administrative, physical and technical safeguards put in place. According to HHS, covered entities must ensure the confidentiality, integrity, and availability of e-PHI, and identify, manage and mitigate threats and risks to the security, integrity and confidentiality of patient information (Summary of the HIPAA Security Rule). Typically, the regulations set forth in the Security Rule seek to establish a secure environment where authorized personnel have access to patient information, while unauthorized persons do not, while also ensuring that patient information is not altered or destroyed.
Of the 3 Safeguards Only Certain Portions Will Relate to Software
As noted above, the Security Rule within HIPAA’s regulations is composed of three core safeguards - administrative safeguards, physical safeguards, and technical safeguards. Administrative safeguards apply to security management, personnel training/auditing and workforce training, while physical safeguards are indicative of protecting access to computer and software systems, including computer systems, facilities, network systems/servers, cloud servers, etc. Technical safeguards apply to all methods of electronic access to all systems that store/transmit patient data. Depending on the type of medical organization that is operating in the U.S., only portions of the three safeguards will apply, while the technical safeguards are most pertinent to the management of patient data via software/computer systems.
Administrative Safeguards Apply to Data Storage and Accessibility
According to HHS, administrative safeguards indicate the following:
- Security Management Process
- Security Personnel
- Information Access Management
- Workforce Training and Management
Each of the above pertains to the administrative management, training, and access control policies that should operate as guidelines in medical organizations for the secure management of patient data.
Physical Safeguards Cover Access Points to the Software
Per the above, HHS stipulates that physical safeguards pertain to the following:
- Facility Access and Control
- Workstation and Device Security
Physical safeguards mostly pertain to managing access to computer/software systems, facilities, workstations, and devices, etc. that are used by the medical organization to access patient data.
Technical Safeguards Will Be the Largest Factor To Check Your Software Against
Technical safeguards, according to HHS, are the following:
- Access Control
- Audit Controls
- Integrity Controls
- Transmission Security
Technical safeguards apply mostly to software systems and the mechanisms by which patient data is stored, retrieved, and transmitted. It is important to note that the specific security mechanisms (above), that are necessary to be compliant with the Security Rule, are ultimately guidelines, and do not reveal the details on exactly what is to be utilized for compliance, i.e. what specific firewalls, anti-malware, or encryption systems to use, etc.
Checking Your Software’s Compliance to the Technical Safeguards
Per the above, in order to ensure complete compliance with HIPAA regulations and rules, one must carry out due diligence to thoroughly check all software systems in use. This includes all software systems that handle patient data in any way, including database systems, communication systems, financial systems, email systems, network systems, etc. Additionally, any medical organization that allows patients to access their records via a web interface should thoroughly check their network systems and web servers for vulnerabilities. That said, checking software systems should include a few best practices, such as: contacting system administrators, obtaining feedback from vendors and/or the developers of the software systems, obtaining information on whether third party software is HIPAA compliant, obtaining documentation and technical documents on the software systems, and even checking the source code if the software is open source. After obtaining all required technical information on the security mechanisms and inner workings of the software, it is important to understand how data is stored via the software systems, how data is retrieved, and how data is transmitted. After that, it is important for the software systems to be passively and actively tested to ensure complete data security.
Begin By Understanding Where Your Data is Stored
The first step to ensure that a medical organization’s software systems comply with HIPAA regulations is to identify how patient data is stored. This can include internal storage systems (database systems, servers, etc.) or external storage systems (cloud storage), and must include an assessment on how secure the storage solution is.
Closed Internal System vs Cloud System
Closed, internal storage systems can include databases, internals servers, and a range of workstations and devices in a medical organization. Contrasting this, cloud storage utilizes online servers that are typically located outside of the medical organization. Due to being an online storage system, it is important for the network that is used for storing patient data (in the cloud) to be completely secure.
How Secure is the System In Which the Data is Stored?
As noted above, the method by which patient data is stored should be completely secure, whether the medical organization is using online, cloud storage, or internal storage systems. While cloud storage - when implemented correctly - is a sound and secure method of data storage, internal storage systems can also be secure when implemented correctly. In re-visiting HIPAA technical safeguard rules, it is important for medical organizations to implement data-storage systems that ensure data integrity (such as via hashing/checksums), along with the appropriate access control mechanisms. Doing such a best practice via internal storage systems allows greater control over security mechanisms, while traditional cloud storage solutions may not. Additionally, with medical organizations that allow patients to access their records via a web browser, sufficient authentication and authorization mechanisms should be implemented, along with the salting (and hashing) of patient passwords with regard to patient password storage in a database.
Next Consider Ways That the Data is Transferred
As has been noted beforehand, according to statistics, the greatest vulnerability associated with medical IT systems has been with regard to network systems and servers. Thus, the transmission of data over a network - whether it be wireless or wired - is a crucial factor when determining whether a medical organization’s IT systems are truly secure.
Is Encryption Used When Transferring Data Across Open Networks?
Per the above, one of the most important factors associated with transmitting data over a medical network is whether the data is encrypted or not. Unencrypted, plaintext data can be sniffed by cybercriminals, allowing such people to capture and/or access private patient data in an unauthorized way. Encrypting data stops cybercriminals from being able to decipher private data in transmission, even if it is captured. That said, medical organizations should not utilize open wireless (WiFi) standards such as Open Systems Authentication, but should use strong standards (WPA2, Pre-Shared Key) for Access Point authentication, and strong encryption standards associated with security best practices, such as AES-256. Additionally, with regard to hashing/checksums, strong hash functions should be used, such as SHA-256. Best practice stipulates that is is best to avoid “broken” cryptographic/network system security standards such as MD5, SHA-1, WEP, RC4 (algorithm), etc.
It Never Hurts to Have Assistance in Checking HIPAA Compliance
A thorough security audit, and check for HIPAA compliance, is not complete without a professional engaging in passive and active security tests on medical software systems, which helps to ensure that the systems have no critical vulnerabilities. Such tests also ensure that security controls are correctly installed and implemented. That said, it is important for medical systems to undergo a passive vulnerability scan - which is used to determine if any known vulnerabilities exist in the medical IT infrastructure - and an active penetration test - which is used to actively test security controls to determine if they can be bypassed, and if a successful hack of the software systems can be carried out.
Also, based on HIPAA regulations, an IT logging/auditing system should be used to monitor all network activities, along with utilizing anti-malware suites, firewalls, and Intrusion Detection Systems (IDSs) to ensure complete data security of medical networks.
Additionally, all web applications and networks should be tested for common vulnerabilities such as Cross-site scripting (XSS), SQL injection, and other common attack vectors that cyber-criminals use to exploit weak IT systems. Web interfaces allowing patients to access their data online should also use TLS, and not the broken SSL standard.
Additionally, the use of HIPAA-specific security testing suites can be deployed to thoroughly test medical IT systems, which helps to ensure that all such systems are secure and are HIPAA compliant. An example of such a tool is the jointly launched HIPAA Security Risk Assessment (SRA) Tool.
HIPAA is a complex U.S. legislation that regulates how a medical patient’s private information is handled, stored, and transmitted. The Act stipulates that all health organizations take due diligence in protecting their patient’s PHI (Protected Health Information), including when computer and software systems are used to record and transmit such private information. Due to that, specific rules within HIPAA can be applied to an enterprise’s software infrastructure - such as the Act’s Security rule - which indicates that certain safeguards must be put in place. When it comes to the most pertinent safeguard - technical safeguards - it is very important for businesses to thoroughly assess, analyze and test their systems to ensure that they are compliant with the regulations in place. Along with that, utilizing strong encryption standards, secure data storage systems, and active and passive security tests, such as penetration tests and vulnerability scans (respectively), can help to mitigate a costly data breach before it happens, while showing due diligence to comply with HIPAA guidelines and regulations.