HIPAA Security Requirements and Tips for Keeping your Data Secure.
HIPAA security has changed since March of 2013. The new rules change the way everyone deals with electronic Protected Health Information (e-PHI) as well as the networks and vendors the companies use to view and transfer these documents. Under the new rules, you can be fined up to $1.5 Million per year if you are not in compliance, and up to $50,000 per violation. Also now business associates can be held responsible for data breaches and if that were not enough: you now you have to prove that you haven’t had a data breech instead of the opposite. Under the new rules they assume that you have had a security breech unless you can document otherwise. For companies that have policies and procedures for HIPAA that are older than 3 years: You may want to read through your Business Associate Agreements (BAAs) and your policies to make sure the new rules are put into place.
Simplified Technical Safeguards Required by HIPAA
- Access Control: Have policies and procedures in place that determine who has access to e-PHI.
- Audit Controls: Keep a record of your information systems security status and use. This means keep logs and reports of physical security, software, and other mechanisms used to contain or look at e-PHI.
- Integrity Controls: Make sure that e-PHI is not improperly altered or destroyed.
- Transmission Security: Protect the transmission of e-PHI over networks. This means using encryption and having properly configured firewalls and networks.
Visit HHS.GOV here for the actual specifications/requirements: http://www.hhs.gov/ocr/privacy/hipaa/understanding/srsummary.html
In short it is important to make sure you are in compliance to these new rules and that your IT vendor/department is aware of these requirements.
Below you will find some of the ways your data can be breached and some possible prevention methods:
Phishing is when attackers send you emails or have links in websites that are tailored to look legitimate, but when an unsuspecting person clicks on a link or opens a file within an email it harms the computer. Also, Spear Phishing is an even more targeted attack, in which the hacker gathers info about you to tailor a personalized email message just for you.
- Don’t click on email attachments or links that you are not 100% sure are from a legitimate source.
- Use Spam fighters and Antivirus software to protect your email
- Don’t give out your email to unknown online sites (for example: win $1000 by filling out this form)
- Check to see if your email has be pwned (compromised): https://haveibeenpwned.com/
Man in the Middle Attacks:
Man in the middle attacks intercept data between two points and attempt to steal and decrypt the information. This can be done by spoofing a “trusted” network that your device has connected to in the past. You may see this if you are at a hotel and your phone tells you that you are connect to your home network?!?!
- Use a VPN to encrypt your online communication
- Look for the lock symbol next to the web address to ensure that SSL and/or TLS is being used.
- Note if you see a lock icon but also an exclamation mark or an X don’t enter in any sensitive info.
Buffer overflow is when an attacker breaks a program by giving it too much information (like a really long username). The attacker can then insert code into the website or software that goes where it should not and gain access to a system. This is a high level of attack and difficult to prevent
- If your company has proprietary software ask the programmers to look at the code to see if they are vulnerable to buffer overload.
- Hire a professional to test your software/website
- Make sure that all of your software is up to date
Brute Force Attacks:
Brute force attacks can be very effective against systems that have weak user names and passwords. A brute force attack will try thousands if not millions of usernames and passwords to try to find the right one. More sophisticated attacks use “dictionaries” of the most common passwords to quicken the process.
- Use strong Passwords
- Set a policy for log in attempts