Since the passage of the Health Insurance Portability and Accountability Act (HIPAA) in 1996, healthcare organizations have been required to protect the privacy and security of electronically protected health information (e-PHI). Recently, the National Institute of Standards and Technology (NIST) released updated guidance on implementing the HIPAA Security Rule. These changes affect covered entities and business associates and are designed to help these parties better protect e-PHI from threats such as cyberattacks.
The updated guidance includes new or clarified requirements regarding risk assessments, security controls, incident response, and data breach notification. Perhaps the most significant change is the requirement for covered entities to perform periodic risk assessments. These risk assessments must be comprehensive and must take into account the changing threat landscape. They must also be documented and reviewed regularly. In addition to risk assessments, covered entities must also implement security controls to protect e-PHI from unauthorized access, use, or disclosure. These controls must be based on the risk assessment results and must be implemented to ensure the confidentiality, integrity, and availability of e-PHI.
What is the Security Rule?
The Security Rule requires covered entities (CEs) to take a risk-based approach to security, meaning they must assess the risks to e-PHI in their environment and put in place measures to mitigate those risks. The Rule contains three types of safeguards: administrative, physical, and technical.
The administrative safeguards are the procedures, policies, and people that CEs put in place to protect e-PHI. They include risk analysis and risk management, security awareness training, employee screening, background checks, and incident response. This also includes regularly reviewing who has access to data and ensuring that they still need it through an access review. These safeguards are designed to ensure that only authorized individuals have access to e-PHI and that individuals with access understand their responsibility to protect it.
The physical safeguards are the physical security measures that CEs put in place to protect e-PHI. They include facility security plans, access control systems, and workstation security. These safeguards are designed to ensure that only authorized individuals have physical access to e-PHI and that e-PHI is safeguarded correctly when accessed, used, or stored. Organizations can also use physical safeguards to control who has access to their facilities and to monitor and record access to e-PHI.
The technical safeguards are the technology-based security measures that CEs put in place to protect e-PHI. They include things like access control, encryption, and audit trails. These safeguards are designed to ensure that only authorized individuals have access to e-PHI and that e-PHI is properly safeguarded when it is accessed, used, or stored. Technical safeguards can also be used to control access to an organization’s network and monitor and record access to e-PHI.
What’s New in the Updated Guidance
The updated guidance from NIST contains several changes that healthcare organizations should be aware of:
- The guidance clarifies that CEs must take a risk-based approach to security, meaning they must assess the risks to e-PHI in their environment and put in place measures to mitigate those risks.
- The guidance provides updates on administrative, physical, and technical safeguards.
- The guidance includes new information on risk analysis and risk management.
Relevance to Identity and Identity Recertification
The guidance clearly identifies that enterprises that collect and review e-PHI fall need have specific controls in place. This includes a clearly articulates guidance on access recertification.
Specifically section 18.104.22.168 under the control “Implement Policies and Procedures for Access Establishment and Modification” spells out the need for acces recertification.
- “Regularly review personnel access to ePHI to ensure that access is still authorized and needed”
YouAttest and Access Reviews
YouAttest is a purpose-built tool for the specific action of access recertification. It inputs all of the identity, role, application information and then allows a risk manager – either internal or external – to send out recertification campaigns to all relevant mangers. Both the application owner and business owners can be requested to certify the access. The process can be automated to re-occure at regular intervals. YouAttest is utilized by many organizations who have to meet HIPAA compliance requirements.
Affect on Organizations
The updated guidance from NIST affects all healthcare organizations that are subject to the HIPAA Security Rule. Organizations should review the guidance and ensure they comply with the latest requirements. Failure to comply with the Security Rule can result in civil and criminal penalties, and HIPPA violations can cost your organization up to $1.5 million. In the event of a data breach, covered entities must notify affected individuals, the Department of Health and Human Services (HHS), and, in some cases, the media. They must also take steps to mitigate the effects of the breach.
YouAttest is an automated identity audit tool for your identity and access controls. Cloud-based and simple to use – YouAttest provides a unified risk platform for your identity audits with the quickest time-to-value and no implementation cost. Contact us and we will start your identity auditing journey.