Security News

Understanding Healthcare Infrastructure Security and HIPAA

Strong healthcare infrastructure security will rely heavily on the physical, administrative, and technical safeguards under HIPAA.

By Elizabeth Snell

Creating strong healthcare infrastructure security requires covered entities to build a comprehensive understanding of many key areas, such as IT network security, physical infrastructure, and data storage options.

health IT infrastructure and HIPAA

With technological options evolving more every day, it is even more important for healthcare organizations to ensure that they are implementing the right infrastructure options for their daily operations.

In terms of infrastructure security, HITInfrastructure.com will discuss the finer points of HIPAA regulations, and why this is such an important piece to the larger infrastructure puzzle. Administrative safeguards, physical safeguards, and technical safeguards are not only federal requirements, but they will also help create strong healthcare infrastructure security.

Administrative safeguards

Administrative safeguards are policies and procedures designed “to manage the selection, development, implementation, and maintenance of security measures to protect electronic protected health information and to manage the conduct of the covered entity’s workforce in relation to the protection of that information,” according to the Department of Health and Human Services (HHS).

READ MORE: NIH Grant Funds Machine Learning Tool for Chronic Disease Detection

Covered entities should implement policies and procedures that help guide employees in the proper care and use of ePHI, such as security training requirements or how certain security responsibilities should be delegated in a facility.

The HHS Security Series also highlights the following standards for covered entities to follow when it comes to their administrative safeguards:

  • Implement policies and procedures to prevent, detect, contain and correct security violations
  • Identify the security official who is responsible for the development and implementation of the policies and procedures required by this subpart [the Security Rule] for the entity
  • Implement policies and procedures to ensure that all workforce members have appropriate access to ePHI and to prevent those who do not have access from obtaining ePHI access
  • Implement policies and procedures for authorizing ePHI access
  • Implement a security awareness and training program for all workforce members
  • Implement policies and procedures to address security incidents
  • Establish (and implement as needed) policies and procedures for responding to an emergency or other occurrence (for example, fire, vandalism, system failure, and natural disaster) that damages systems that contain ePHI
  • Perform a periodic technical and nontechnical evaluation in response to environmental or operational changes affecting ePHI security  
  • Create a contract or agreement with any necessary business associates that meets the applicable HIPAA requirements

Overall, HHS requires that employees at all levels understand the covered entity’s “security policies and procedures, and must have and apply appropriate sanctions against workforce members who violate its policies and procedures.” Moreover, employees should only be given access to ePHI as it relates to their job, and that is “the minimum necessary” to ensure that the job is performed correctly.

There must be proper documentation for all work with third-parties, which will help ensure that those organizations also properly and securely handle sensitive information, such as ePHI.

Physical safeguards

READ MORE: Hartford Healthcare Partnership Focuses on Digital Health Innovation

HHS describes physical safeguards as “physical measures, policies, and procedures to protect a covered entity’s electronic information systems and related buildings and equipment from natural and environmental hazards, and unauthorized intrusion.”

In terms of healthcare infrastructure, this can relate to the physical security measures used to keep data safe. Whether a covered entity is housing information on their own premises or another location, the HIPAA Security Rule requires the necessary physical safeguards.

Anything from locks on doors to keeping laptops and other mobile devices locked up when not in use can be considered a physical safeguard. While not necessarily always in the forefront of individuals’ minds when it comes to security, PHI can be stored in numerous areas.

A healthcare data breach could just as easily stem from a stolen laptop that was not properly secured, as well as stem from a third-party cybersecurity attack.

Facility access and control and workstation use and device security are key aspects to the physical safeguards required under HIPAA.

READ MORE: Nuvance Health Pilots At-Home Remote Patient Monitoring Program

“The purpose of this implementation specification is to specifically align a person’s access to information with his or her role or function in the organization,” the HIPAA Security Series explains in terms of access control. “These functional or role-based access control and validation procedures should be closely aligned with the facility security plan.”

Technical safeguards

Technical safeguards are “the technology and the policy and procedures for its use that protect electronic protected health information and control access to it.”

HIPAA regulations do not specifically dictate the kinds of technology that covered entities must use. Rather, healthcare organizations need to find reasonable and appropriate security measures for their own needs and characteristics.

For example, a small clinic with less than five doctors, might not have a BYOD policy in place. Therefore, physicians do not need to worry about mobile device management (MDM) or whether their phone as remote wipe capabilities. Perhaps the clinic does not even allow physicians to store PHI on mobile devices, as it would be the individual’s personal device.

Instead, PHI stays on the clinic computers, which is why firewalls and laptop encryption options might be a better choice for this clinic.

Similar to the administrative safeguard aspect, covered entities need “to implement technical policies and procedures that allow only authorized persons to access” ePHI. If it is not required for an employee’s job function, then the necessary technical safeguards should be in place to ensure that no unauthorized access takes place.

Understanding HIPAA to create strong healthcare infrastructure

Essentially, HIPAA regulations play a critical role when it comes to creating a strong, viable, and functioning healthcare infrastructure. Technical safeguards must integrate smoothly with an organization’s approach to network security, while administrative safeguards need to complement employee training and how staff members approach healthcare infrastructure.

Moreover, physical safeguards need to integrate properly with an organization’s hardware, as well as other physical features that play a role in keeping sensitive data secure.

By understanding the details of all three safeguards, covered entities will be better able to build a secure infrastructure.