Clients often struggle with the proper implementation of the HIPAA Security Rule (SR). The confusion stems from the fact that the HIPAA SR is a law, not a security framework like NIST 800-53 or CIS top 20. Let’s dispel a few of the common myths:
Myth 1: HIPAA doesn’t require vulnerability scans and penetration tests
Myth Busted: Strictly speaking, HIPAA does not require a penetration test or a vulnerability scan. However, it does require a risk analysis which effectively requires covered entities to test their security controls. Two significant and important methods for testing security controls are vulnerability scanning and penetration testing. It is possible that an auditor or administrative law judge could, given the prevalence of hacking events in healthcare, render a judgement against a covered entity for failing to do a vulnerability scan.
In addition, NIST has issued a special recommendation for HIPAA that says, “Conduct trusted penetration testing of the effectiveness of security controls in place, if reasonable and appropriate. This validates your exposure to actual vulnerabilities.” It also says to document any deficiencies that are identified in a technically detailed report and to include effective, efficient, and clear methods for remediation.
Myth 2: HIPAA doesn’t require data at rest encryption.
Myth Busted: According to HIPAA, encrypting health data is “addressable” rather than “required.” However, this does not mean that covered entities can simply ignore health data encryption. Instead, healthcare organizations must determine which privacy and security measures will benefit its workflow.
“…it permits covered entities to determine whether the addressable implementation specification is reasonable and appropriate for that covered entity,” according to HHS. “If it is not, the Security Rule allows the covered entity to adopt an alternative measure that achieves the purpose of the standard, if the alternative measure is reasonable and appropriate.”
Myth 3: HIPAA doesn’t require log monitoring and alerting merely log storage.
Myth Busted: Event, audit, and access logging is a requirement for HIPAA compliance. HIPAA requires you to keep logs on each of your systems for a total of six years. These three HIPAA requirements apply to logging, and log monitoring:
- Section 164.308(a)(5)(ii)(C): Log-in monitoring (Addressable). Procedures for monitoring log-in attempts and reporting discrepancies.
- Section 164.312(b): Audit controls. Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information.
- Section 164.308(a)(1)(ii)(D): Information system activity review (Required). Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports.
Myth 4: The HIPAA SR is not risk based.
For HIPAA practitioners and consultants declare that HIPAA is not a risk based approach, consider this; the HIPAA SR requires covered entities to Identify and protect against reasonably anticipated threats to the security or integrity of the information and protect against reasonably anticipated, impermissible uses or disclosures.
The addressable controls are then determined by the results of assessing the likelihood and impact of the threats being realized.
Myth Busted: While the HIPAA SR may not BE a risk based framework, its proper implementation is inherently risk based.
Myth 5: I can only be audited if I have a breach.
Myth Busted: As stated on the HHS website under ‘who can be audited’? “Every covered entity and business associate is eligible for an audit. These include covered individual and organizational providers of health services; health plans of all sizes and functions; health care clearinghouses; and a range of business associates of these entities. We expect covered entities and business associates to provide the auditors their full cooperation and support”.
On What Basis Will Auditees Be Selected? “For this phase of the audit program, OCR is identifying pools of covered entities and business associates that represent a wide range of health care providers, health plans, health care clearinghouses and business associates“.