Why Digital Certificates Should Be Part of Your Security and Privacy Strategy
The importance of keeping personal information both private and secure is ultra-critical in the healthcare industry. It’s amazing that it’s now been 21 years since Title I of the Health Insurance Portability and Accountability Act (HIPAA) in the United States was enacted to protect health insurance coverage for workers and their families. In 2003, Title II was established as a national standard for electronic healthcare transactions and national identifiers for providers, health insurance plans and employees. This is when many of the privacy and security rules were defined for protecting electronic protected health insurance information (e-PHI).
A few years ago, US Congress and the Department of Health and Human Services (HHS) established the Health Care Industry Cybersecurity (HCIC) Task Force in the Cybersecurity Act of 2015 to address growing concerns of cybersecurity risks and threats to the healthcare industry. Just recently, the task force issued its findings in the very detailed Report on Improving Cybersecurity in the Health Care Industry, highlighting the urgency and complexity of the cyber-threats and the recommended actions the healthcare industry should be taking to protect healthcare systems and patients.
The healthcare ecosystem is extremely complex and is primarily focused around the services, care and products provided to its patients and consumers. As a patient, just imagine all of the interactions you have in just one doctor’s appointment and all of the data and records generated. Healthcare facilities and organizations continue to be part of this digital transformation that promises better care and service. Not only are patient records mostly fully digitized these days, the way patients are monitored and data is collected is also now being fully automated. However, with more digital information and processes, the risk of cyber-attacks exponentially increases as well.
Healthcare facilities and organizations are often targeted because of patient records and the damage that can be done by compromising their security. They are also seen as easy targets with so many people and staff connecting to all sorts of devices and accessible networks. Additionally, older pieces of equipment that may be vulnerable are still in use because they are difficult to update, expensive to replace or still very valuable to day-to-day patient care. A recent very public example was the WannaCry ransomware attack that targeted a known Microsoft Windows vulnerability that could’ve been prevented with a simple patch. WannaCry targeted many healthcare facilities and had a major impact in some countries.
While the work of HCIC Task Force and the release of its cybersecurity report provides a great set of guidelines that align with NIST cybersecurity framework, HIPAA technical safeguards must be part of any healthcare organization’s cybersecurity strategy. This recent article, Implementing HIPAA Technical Safeguards for Data Security, published by Health IT Security provides a great overview of technical safeguards and what happens when they are lacking.
What are Technical Safeguards?
As defined by the HIPAA Security Rule, technical safeguards are the technology and the policy and procedures for its use that protect electronic protected health information (e-PHI) and control access to it.
From the HIPAA Security Rule, technical safeguards include:
- Access Control - A covered entity must implement technical policies and procedures that allow only authorized persons to access e-PHI.
- Audit Controls - A covered entity must implement hardware, software, and/or procedural mechanisms to record and examine access and other activity in information systems that contain or use e-PHI.
- Integrity Controls - A covered entity must implement policies and procedures to ensure that e-PHI is not improperly altered or destroyed. Electronic measures must be put in place to confirm that e-PHI has not been improperly altered or destroyed.
- Transmission Security - A covered entity must implement technical security measures that guard against unauthorized access to e-PHI that is being transmitted over an electronic network.
Failure to Implement HIPAA Technical Safeguards
Well, first of all, as a healthcare organization, failure is not an option. Implementing these technical safeguards will help prevent a security incident from happening. You also need to be in HIPAA compliance as your auditor will be checking. Will it guarantee that a security incident will never happen? No. But, complying with HIPAA security rules and implementing security best practices to address these technical safeguards will prove that you were in compliance and potentially enable you to avoid a huge fine if a security incident occurs and it was identified that your organization properly implemented the safeguards.
How do Digital Certificates Help?
Here’s where I get excited. The HIPAA Security Rule does not define specific requirements for technology types, allowing the healthcare organization to implement its own security measures to meet the standard and specification. As an employee of GlobalSign, a leading global Certificate Authority, I see a critical role for Digital Certificates in how healthcare facilities and organizations address the HIPAA technical safeguards. The key terms that stand out are unique user identification, encryption and decryption, authentication and integrity controls.
Security best practices start with identity. When every ‘thing’ has an identity, everything can be more secure. People, devices, services, applications and all of the things that connect to the internet must have an identity to encrypt communications and transactions, authenticate to a service, authorize proper access and prove their integrity. Digital Certificates provide that identity and trust – enabling many security use cases that must be addressed in the HIPAA technical safeguards:
- Web and Server Security - Prove your public and private sites and servers are legitimate while protecting and encrypting data submissions and transactions with SSL/TLS Certificates.
- User and Device Authentication and Access Control - Implement strong Authentication without burdening end users with hardware tokens or applications and ensure only approved users, machines and devices (including mobile) can access authorized networks and services.
- Document Signing - Digital signatures using trusted Digital Certificates replace wet ink signatures and create a tamper-evident seal to protect your patient records and other documents that must be kept secure and private.
- Secure Email - Digitally signing and encrypting all internal emails mitigates phishing and data loss risks by clearly verifying message origin so recipients can identify legitimate versus phishing emails and ensuring only intended recipients can access email contents.
There is no doubt that security in the healthcare industry is complex and absolutely necessary to keep critical information safe and private. Regulations like HIPAA and guidance from the HCIC Task Force provide a great framework and recommendations for establishing best practices for a more secure environment. Digital Certificates should be a part of your layered security approach and we are here to help you.
I welcome you to talk with us to today about how we can help you automate, manage and integrate certificates throughout your IT infrastructure.