Healthcare Data Security: HIPAA and the Principle of Least Privilege

Photo by Hush Naidoo

Last year was a red-letter year for healthcare data breaches with the exposure of over 41 million private patient records. By some estimates, that personal health information (PHI) is more valuable on the black market than is personally identifiable information (PII), which accounts for its popularity and suggests that the number of healthcare data attacks will continue to grow. The rising numbers, however, are challenging because the 1996 Health Information Portability and Accountability Act (HIPAA) established a comprehensive framework of protocols designed to prevent these very cybercrimes from happening. It is dismaying that, even with those standards in place, many companies still find their data stores hacked despite their efforts to comply with the Act.

Unfortunately, in many cases, the cause of the failure is the legacy software used to protect PHI, which isn’t suited to the types of data generated within today’s complex computing environment. It is also not purposefully designed to manage or monitor the access by thousands of identities, both human and non-human,  that ultimately gain access to the information, legitimately or otherwise. Without appropriate technology and safeguards in place to guard against these access intrusions, many healthcare companies will continue to be targeted by cyberthieves.

The 2019 numbers are alarming:

• The 2019 total of 510 reported breach events shows a rise of 37.4% over 2018’s figure of 371.
• The thefts affected more than 12% of the entire U.S. population.
• The total number of records breached in that one year was more than the combined total of all such thefts in the six years from 2009 through 2014.

And the type of breach is also notable:

• More than half of all reported breach incidents (59.4%) were declared hacking/IT occurrences. They also accounted for 87% of the total number of stolen files.
• Almost one-quarter (23.3%) involved a ‘business associate’ in some form, which could mean an employee, a third-party contractor, or even a ‘non-person’ buried deep in a contracted service.
• More than one-quarter (28%) were caused by unauthorized access or disclosure incidents, which accounted for over 11% of the total of exposed records.
• Of the 510 breaches, 346 involved phishing attacks that aimed at records in both email and server files.

Each healthcare record can contain as many as ten personally identifying characteristics about the individual and can be sold on the black market for thousands of dollars. Thieves leverage the information to extort money from theft victims, manufacture false insurance claims, and purchase thousands of dollars of goods for which the victim must pay.

At least one expert asserts that frequent breaches of healthcare records because the industry has ‘the worst cybersecurity systems in the world.‘ Too many health organizations continue to rely on outdated technologies and methodologies to protect the billions of data bits they amass each year. The thieves know this and exploit it.

Healthcare leaders compound the problem by failing to invest as much in their data technology as they do in their medical devices. Many healthcare companies are led by medical professionals who may be brilliant in the operating theater but not so in tune with the IT department. Compounding the matter, many of the medical devices were not designed, with security in mind, for the interconnected world we find ourselves in. Over the years features have been added to allow them to get onto the network but oftentimes, not to secure them as they do so. And those lapses often also result in falling out of compliance with HIPAA’s data security mandates.

The purpose of the HIPAA data security rules is to ensure that all PHI retains its confidentiality to only those who need access to it, its integrity, and that it’s available when needed. The latter could be a matter of life and death.  . Fundamentally, the HIPAA framework segregates healthcare data privacy mandates into three main components:

These rules define what records contain ‘PHI’ and apply to the PHI of every individual treated by a healthcare facility or provider. Relevant data includes past, present, and future health concerns, the providers’ identity, and the payments made to cover those healthcare services. The privacy rules also provide standards for the individual and corporate entities that provide healthcare services, including health plans, health care clearinghouses, and healthcare providers that use technology for certain enumerated health care transactions.

Notably, the HIPAA privacy rule offers guidance on appropriate uses for and disclosures of PHI, limiting its exposure only to minimum necessary instances. Following current confidentiality standards, the provision mandates that providers keep PHI private except in situations where only ‘minimum necessary information’ should be shared, such as when making treatment decisions, sharing with care team members, or when authorized by the patient or their agent.

Records maintained in electronic form are noted as ePHI. Entities that have access to ePHI for any reason must maintain appropriate safeguards to protect its security, including:

• provisioning adequate safeguards for data generated within their facility;
• assessment of risks of breach or corruption within their environments;
• protecting against inadvertent or intentional disclosures or impermissible uses by releasing information only in minimum necessary circumstances, and
• assuring their workforce remains compliant with the HIPAA rules.

Entities subject to ePHI data security controls include any person or company that accesses any element of the information for any reason, such as the labs, third-party vendors, subcontractors, and other service providers that exist within the chain of healthcare services.

When PHI and ePHI breaches occur providers are required to notify affected individuals of the violation of their PHI files. The notification must include the type of data exposed, the entity (if known) that received the information, the extent of the exposure, and the efforts undertaken to limit any damages.

Until relatively recently, healthcare data security practices clarified ‘documents’ as the assets to be protected, so it made sense to use firewalls – both physical and virtual – and encryption to surround those documents and keep their patient information safe.

However, even before the COVID-19 pandemic, the volume of digitized healthcare data was exploding beyond all imagination, and, in many cases, beyond the managing and security capacities of legacy technology. The burgeoning use of data to drive almost all medical protocols is just one aspect of that growth. An equally impressive explosion in the types of unstructured data is also contributing to increasing strains on legacy healthcare tech, making it harder for those IT departments to achieve, let alone maintain HIPAA compliance.

Today’s technology manages digitized information that is used by many different programs and services that are relevant to a myriad of healthcare functions. Every individual data bit lives in a data storage facility somewhere, attached to one or more databases, and is accessible by (sometimes) thousands of Identities . Because that information is not isolated within a single ‘document,’ legacy  controls are no longer sufficient to protect the massive, highly distributed, volumes of data.

Instead, today’s HIPAA-compliant healthcare data security practices focus on ‘who’ and ‘what’ has access to it – aka Identities  – and whether that access is appropriate within the ‘minimum necessary’ standard. They look for who has a ‘privilege’ to access ePHI, then determine whether that privilege is also the least possible to adequately perform their function. This is commonly known as the least privilege principle and it ensures that only those Identities  with appropriate authorization can gain access to ePHI, and when doing so, that their privileges are limited to meeting the ‘minimum necessary’ standard.

Sadly, the 2019 healthcare data breach scenario will be replayed in 2020 and beyond if healthcare companies don’t upgrade their data security tech to meet both that threat and the mandates of the HIPAA law. Sonrai Security provides comprehensive, cloud-based ePHI security programming to ensure that only relevant users have appropriate access to PHI and that their access capacities comply with all the HIPAA standards.