On January 25th, 2013, the Department of Health and Human Services (HHS) Office of Civil Rights (OCR) published the final privacy and security regulations called the Final Rule under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). About a month ago the Rules became effective. And September 23rd is appointed to be the Compliance deadline in order to conform to most of the HIPAA requirements. The penalties for non-compliant companies will be imposed from September 2014.
Unfortunately, following the requirements is not enough to protect a client’s data against hacker attacks. What the HIPAA weaknesses are, and how they can be improved, will be discussed in this post.
Following the Rules is not enough
The HIPAA security requirements within ePHI (Electronic Personal Health Information) describe the basic requirements that will protect your system from some security threats. The other category of certification demands that are based on HIPAA - the CCHIT (Certification Commission for Health Information Technology) requirements - contain more items and represent a deeper analysis of common threats from malefactors. Although HIPAA and CCHIT present effective security points, they don`t cover all available threats you could be faced with.
I’d like to emphasize major security threats not covered by HIPAA and CCHIT certification requirements.
Penetration testing. The main disadvantage is a failure to mention mandatory penetration testing of the end product. There are a lot of simple ways for a hacker to compromise a system and gain an access to an ePHI or other sensitive information. This threat can cause enormous damage to companies that use such a system. Unfortunately, the standards do not contain information about making at least annual penetration testing of the product. Penetration testing reduces the risk of system damage and data loss.
Organization of the internal network. The requirements do not spell out in detail the internal network infrastructure. It’s important for each workstation to use a set of security programs such as antivirus, local firewall, etc. All unused and unlicensed services should be removed. In addition, use quality monitoring software for intrusion prevention (NIDS, HIDS, NIPS, HIPS). Then if a separate workstation is attacked, the whole network is in safe.
Well educated developers. I didn’t find any mention of the requirements for software developers. The program must be written with secure coding techniques, and developers should know about prevalent vulnerabilities. Generally it will prevent a lot of future problems.
Forgotten password situations. Some issues that already exist in HIPAA and CCHIT standards are not described well enough. For example, there is no description describing the correct sequency of actions in case of password loss and recovery.
Protecting data you protect lives
When implementing a new system for a Healthcare providing company, make sure that it is secure from unauthorized acccess. Don’t put the organization and its client’s private information at risk.