Cybersecurity and HIPAA
The HIPAA regulation is a rather expansive regulation. With all of the aspects HIPAA has to note for the of the different environments and cases encountered, including the administration, technical, and physical security issues to be addressed, it is almost surprising this regulation is not longer.
As important as HIPAA and securing the medical data, information, and records are, the scrutiny of the HIPAA-applicable enterprise needs to grow in depth and width. Presumptively there is a sigh among CISOs at this point, however this is valid. The driving force behind this has been the increased use of electronic health records and history (EMR and EHR) and the greater use of mobile devices in the workplace holding or with access to the medical data in its various forms.
There are numerous books, white papers, webinars, conferences, etc. on apply the HIPAA regulation to the workplace. At times the helpful information inundates your inbox to the point of paralysis by analysis. There are a few areas of concern that most healthcare facilities should monitor to ensure the enterprise is secure as possible.
One area to monitor are the contact forms located on the web or to set an appointment. It is not well-documented if these need to be HIPAA compliant. Due to this, these two options are often not included in the HIPAA compliance review and are not genuinely HIPAA compliant. The issue revolves around information provided on the form by the patient. The patient, since they are accessing the medical facility’s website, may provide their ePHI (electronic personal health information).
Another area generally not thought of for this issue are the patient review forms completed online. These are generally provided to the patients as a quality assurance measures. If there tends to be a shortfall in an area, the hospital or other medical facility are able to improve their operations and the patient experience. This area has the same potential issues of the patient revealing their ePHI inappropriately.
With these two noted areas and others, there is the opportunity for confidential health information to be leaked. The source of the issue may be the patient’s themselves and probably will be inadvertent. With the potential of the data and information being accessed due to a lack of HIPAA controls being in place, a far more prudent step would be to simply add this into the areas being protected by the IPAA guidance. The additional minor expense of this action is not significant in comparison the costs if this information were to be secured by an unauthorized third party.
About the Author - Charles Parker, II has been working in the info sec field for over a decade, performing pen tests, vulnerability assessments, consulting with small- to medium-sized businesses to mitigate and remediate their issues, and preparing IT and info sec policies and procedures. Mr. Parker’s background includes work in the banking, medical, automotive, and staffing industries.