Key Requirements of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule

The Security Rule applies to: 

• All following covered entities: 

• Health plans 

• Health care clearinghouses 

• Any health care provider that transmits health information in electronic form in connection with a transaction for which the Secretary of HHS has adopted standards under HIPAA. 

• Business associates of covered entities. 

What are the Key Requirements of the HIPAA Security Rule? 

Implementing a Security Management Process 

One of the requirements of HIPAA, established under the General and Administrative Rules, is the necessity to implement a security management process. The purpose of the security management process is to:  

• Ensure the confidentiality, integrity, and availability of all electronic protected health information the covered entity or business associate creates, receives, maintains, or transmits

• Protect against any reasonably anticipated threats or hazards to the security or integrity of such information 

• Protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required under the Privacy Rule

• Ensure compliance to these requirements by its workforce

There are several security frameworks globally that would meet this requirement, and the act specifically states that your organization is free to determine its own approach to complying with the security standards. In this blog, we will focus on the international standard for an Information Security Management System (ISMS), ISO 27001:2022. ISO 27001 and the requirements of HIPAA are significantly aligned, with a well-implemented ISMS meeting most of the standards defined within HIPAA. 

HIPAA requires that, as part of your organization’s security management process, you conduct a risk analysis exercise and manage the identified security risks and vulnerabilities on an ongoing basis. You can meet this HIPAA standard by implementing Clause 6 and 8 of the ISO 27001 standard - i.e. conducting a risk assessment, defining and implementing risk treatment plans as a result of the assessment and implementing a risk management framework for ongoing monitoring and treatment. With regards to the framework for assessing and managing risk, several of these exist and can be implemented as part of your ISMS, including ISO 27005 and the NIST Risk Management Framework (RMF). 

Security Policies and Procedures 

HIPAA also requires that your organization implement policies and procedures to prevent, detect and contain security violations. ISO 27001:2022 Annex A 5.1 is a control that similarly requires an information security policy and topic-specific policies be defined, approved by management, published and communicated to and acknowledged by relevant personnel and interested parties. You may wish to create topic-specific policies that concern key security controls, such as: 

• Encryption

• Vulnerability and Patch Management 

• Physical Security

• Asset Management

• Backups

Personnel Security 

Personnel security measures relate directly to the individuals who you are employing and encompasses topics such as pre-employment checks and disciplinary procedures. Pre-employment checks are a critical part of verifying an individual’s identity and assessing their trustworthiness, especially in the health sector. You should establish processes that outline how the relevant teams within your organization will conduct checks on prospective employees prior to their hiring. The checks should verify, with reasonable confidence, that the employee is who they say they are and that they are trustworthy (e.g. not susceptible to coercion). 

Additionally, HIPAA and ISO 27001 both have similar requirements concerning your organization’s response to violations of information security policies and procedures by personnel. To implement Annex A6.4 Disciplinary Procedure and meet the requirements of HIPAA, you should ensure that your organization has a documented disciplinary policy that is communicated to all personnel to deter them from violating company policies and procedures, including those related to security.  

Training and Awareness is also a common part of both HIPAA and ISO 27001. You should provide staff with information security training on a regular basis that covers topics such as: 

• Good password management. 

• Your organization's security policies and procedures

• Avoiding malicious software

• Reporting suspicious activity

• Any legal requirements they must adhere to (e.g. HIPAA). 

You should also provide regular security awareness to employees, outside of regular training, to remind them of the information security management system and other security-related topics. 

Identity and Access Management 

Given the huge value of health data to a malicious actor, HIPAA requires that your organization defines technical policies and procedures for its electronic information systems that maintain ePHI to allow only authorized persons to access ePHI. It is critical therefore that your organization establishes a robust joiners, movers and leavers process to govern the lifecycle of an employee's access to digital information throughout their employment. The process for granting, modifying and revoking should be automated as far as possible, minimizing the reliance on manual processes which typically result in delayed or missed offboarding, for example.   

ISO 27001 has a number of relevant controls that are also relevant to identity and access management, including: 

• Segregation of Duties

• Access Control

• Identity Management

• Access Rights.  

All these controls are fundamental to ensuring that users only get the minimum necessary permissions to access electronic protected health data that is required to perform their role. Regular access reviews should also take place to ensure that nobody has been granted access to systems or data that they do not have a valid business need for. The results of these reviews should be retained as evidence of proactive management.

Strong authentication methods (such as MFA or SSO) should also be enabled wherever possible to minimize the risk that unauthorized access is gained by malicious actors. Timeout and automated locking should also be enforced on end user devices and applications to ensure that unattended assets cannot be compromised by an individual who gains access to the device. Finally, you should not use generic identities to access ePHI, instead favoring an individual and identifiable user identity to ensure accountability.  

Logging and Monitoring 

Another set of critical controls required to secure electronic personal health information is security logging and monitoring. Critical systems (such as electronic patient health records) should be subject to strict logging and monitoring to identify any potential anomalous activities and malicious access.

Log information should be collected and analyzed centrally (e.g. within a SIEM) to enable monitoring by competent security analysts who are able to identify any potential security incidents at the earliest possible point, preventing serious breaches before they can occur. Activity, such as changing the configuration of assets, repeated failed access attempts and use of privileged credentials should all be captured within log information.

Alerting use cases should also be defined to enable investigations to be raised should suspicious behavior be identified by the monitoring system. All relevant log information that would be beneficial should your organization need to investigate a security incident should be retained for a defined period of time. Additional guidance on implementing logging and monitoring controls is contained within ISO 27001 controls A5.15 and A5.16.    

Security and Business Continuity Incident Management 

Given the impact that a security or business continuity incident could have on a healthcare provider, it is no surprise that HIPAA (and all major security frameworks) have several requirements concerning the need to define plans for responding to security and business continuity incidents. ISO 27035 and NIST SP 800-61 both provide the foundation for developing an information security incident response plan, which is essential to meeting HIPAA requirements.

Business Continuity Plans should also be created to ensure readiness for business continuity (Annex A 5.30), supported by Business Impact Analysis (BIAs) which should be used to determine what organizational systems are most critical should an incident occur. Disaster Recovery Plans should also be defined for IT systems to determine how they should be recovered in the event of a failure of destructive event (such as ransomware).  

Backups are also an essential part of business continuity and disaster recovery. You should ensure that all critical systems and data are backed up by implementing Annex A control 8.13 concerning information backup. A key principle of backups, given the prevalence of ransomware, is that they should be resistant to destructive attacks (such as by using immutable or offline backups).  

It is important to note also, in accordance with the Breach Notification Rule, both the security and business continuity incident plans should include the procedures necessary to report the incident to any relevant stakeholders (e.g. regulators, investors, patients). You should also pre-prepare for such a scenario by including defined communications plans and templates that outline who is responsible for communication, to whom communications must be issued, what the communications will say and how those communications will be sent.   

Regular testing and exercising should also be carried out to validate that the security incident and business continuity incident response plans are effective and continue to be throughout their lifecycle. A critical part of testing and exercising which should not be forgotten is recording and implementing the lessons learned from these scenarios to prevent issues from being experienced during actual response scenarios. 

Physical Security 

Strong physical security measures are essential to prevent incidents like theft and loss of assets that may contain significant amounts of ePHI. As such, HIPAA mandates that you implement policies and procedure to limit physical access to only authorized individuals. Several controls from ISO 27001 can be used to achieve this, such as: 

• Physical security perimeters – Establishing and defining a secure perimeter and ensuring that perimeter is absent of weaknesses (such as open ground floor windows or fire doors). 

• Physical Entry – Introducing access control systems to govern where staff or members of the public may access. For high-security areas, enhanced controls may be required (e.g. access cards and PINs) to minimize the risk of unauthorized access. It is essential that there is an effective joiners, movers and leavers process supporting your access control system to ensure only authorized individuals have access. Physical keys and visitor access should also be tightly controlled and managed through defined procedures.  

• Physical Security Monitoring – All access control events should be logged and monitored. Repeated failed attempts to access should trigger alerts for investigation. Furthermore, additional monitoring may be required such as CCTV, security guards and intruder alarms.  

• Protecting against physical and environmental threats – Risk assessments should be carried out to determine the likely physical and environmental threats that may pose a risk to an asset and measures should be taken to protect assets against these threats (e.g. protecting against flooding by locating critical assets above ground-level).  

• Equipment maintenance - Equipment should be regularly maintained in accordance with the manufacturer's recommendations to minimize the risk of failure. HIPAA requires that records of maintenance are maintained.  

Cryptography 

With healthcare organizations holding some of the most sensitive and valuable information about individuals across the US, it is critical that they take protective measures to prevent that data ending up in a malicious actor’s hands. One key measure to do so is to protect data both at rest and in transit using cryptography. HIPAA states that encryption should be used to protect data both at rest and in transit.

It also states that measures should be taken to ensure the integrity of the data, which can be achieved by using cryptographic functions (such as hashing) to validate that data has not been maliciously or accidentally modified. ISO 27001 also contains controls concerning cryptography (A8.24) which recommends that the organization develops a topic-specific policy concerning the use of cryptography, as well as defining a secure approach to key management and defining roles and responsibilities for the use of cryptography. 

Information Security in Third-Party Agreements