Is HIPAA Compliance Enough? What You Need To Know About Cybersecurity

By Melanie Purkis, Liquid Web

Health Insurance Portability and Accountability Act (HIPAA) compliance is complex and requires adherence to a number of checks in order to keep sensitive data secure. Healthcare organizations and others that deal with sensitive personal data are in a tough spot. Unlike PCI (Payment Card Industry) compliance, there is no certifying body to ensure that relevant organizations remain compliant.

Instead, health organizations must do their best to abide by the requirements set forth without being “certified” as compliant. Unfortunately, this usually means that noncompliance or other vulnerabilities don’t come to light until there is a massive cyberattack or data breach. Considering that healthcare cyber attacks, on average, cost $1.4 million in recovery, organizations should consider both whether they are compliant and whether compliance is really enough.

Tug Of War Between Compliance And True Security

The reality of the modern digital era is that “simple” HIPAA compliance is not enough. Data breaches still happen—and they are on the rise. Relying on HIPAA compliance to cover all of an organization’s security concerns is a fool’s game and can actually weaken cybersecurity defenses.

Simply stated, HIPAA compliance is just meeting the minimum standards for security. It does not guarantee complete protection against cyber attacks and hacks. The healthcare industry has ample room for growth in this area and has been slow to adjust looming concerns around the lack of robust security tools that accommodate emerging technologies like cloud-based environments, Internet of Things (IoT), and increased device usage.

Taking Security Up A Notch

Rather than focusing solely on HIPAA compliance, healthcare organizations should consider the different areas where security concerns must be addressed.

• Access control - Controlling and limiting access according to the need-to-know principle
• Risk management - Maintaining protocol and processes for identifying security risks (known threats and vulnerabilities as well as the assets they may impact) and response plans.
• Security policy - Creating and enforcing a measurable, repeatable, and enforceable security policy.
• Organization of information security - Create a framework for management to govern, train, and supervise the operation of information security across an organization
• Compliance - Assigning a person (or people) to develop, maintain, and abide by a HIPAA-compliant privacy program
• Asset management - Documenting and maintaining accuracy of assets and data owners, including notation of any risk and security issues.
• Physical and environmental security - Implementing policies and procedures to protect tangible assets and to reduce the risk of physical failure related to infrastructure components or unauthorized use.
• Communications and operations management - Ensuring proper and secure implementation and operation of information processing across the organization.
• Information security incident management - Outlining a process for identifying, analyzing, documenting, and managing security threats and incidents.

Conclusion

The application of HIPAA standards varies, due to varying perceptions of what compliance really means. This can place healthcare organizations at risk if they do not complete due diligence across all matters of security. Clarity on compliance is important, but organizations must go beyond basic compliance to secure the entirety of the organization from the rising number of bad actors.

About The Author:

Melanie Purkis is the Product Leader for Liquid Web's Managed Hosting Products & Services, including HIPAA Compliant Solutions. Melanie has 23 years of experience with professional leadership in the IT and web hosting industries.