Essential Technical Security Controls to Promote HIPAA Compliance and Protect ePHI

HIPAA Security Controls

One of the most impactful regulations in the U.S. is the Health Insurance Portability and Accountability Act of 1996, known as HIPAA.  The HIPAA Security and Privacy Rules lay out rigorous requirements for the collection, use, and storage of Electronic Protected Health Information (ePHI). 

I get a significant number of questions from our customers and colleagues looking for quick wins to promote HIPAA compliance for both their organization and the third parties with which they work.  Therefore, I wanted to devote a little space to taking a deeper dive into HIPAA and look at some of the most essential technical controls for ensuring you, and your third parties, are promoting compliance with HIPAA. 

Access Control

The first essential security control that must be incorporated for HIPAA compliance is access control.  Access control should entail the use of multiple factors to identify a user and authenticate the user is who they claim to be.  Additionally, HIPAA compliant information systems will have levels of authorization that ensure the user, once authenticated, can only access the ePHI that user requires to complete their job. 

I strongly suggest making sure information systems that house ePHI have access controls that:

  • Account for each user so that each ID in the system is unique to one user (CyberGRX Controls 3.3.1.1, & 3.3.2.2);
  • Enforce highly complex passwords that incorporate the use of at least one of each upper and lowercase letters, numbers, and special characters (e.g. %, *, ^, @, #, etc.) (CyberGRX Control 3.3.2.4);
  • Ensure each User ID has a set of privileges attached to it that grant the owner of the ID only the access to PHI that the user needs to do their job (CyberGRX Control 3.3.1.2), and
  • Incorporate multiple factors to authenticate a user (CyberGRX Control 3.3.2.3).

Encryption

Another key technical control for protecting ePHI that HIPAA requires is the use of encryption. While encryption is technically distinct from a secret code, at a high level you could think of it as a secret code.  The encryption algorithm uses math to jumble information in such a way that it cannot be deciphered without a key.  HIPAA focuses on using encryption for ePHI that is both stored on an information system (Data at Rest) and sent between information systems on a network (Data in Transit). 

Key controls you should consider to protect ePHI with encryption are:

  • Encrypting ePHI on disk drives with at least AES 256 encryption (CyberGRX Control 3.5.2.1); and
  • Ensuring ePHI that you send and receive on your own network, or between third parties on the internet is encrypted with at least TLS 1.2 (CyberGRX Control 3.5.4.1).

HIPAA allows organizations to not encrypt ePHI when ePHI is contained only on a private network, provided that the organization has robust access controls for entry on that network.  However, I feel that encryption is such an essential security tool that you are better off making sure that all devices containing ePHI are encrypted and that all communications containing ePHI across networks, public or private, are also encrypted.

Data Base Access and Information Corroboration

Data corroboration is an important aspect of HIPAA because it can help ensure the integrity of ePHI.  The integrity of ePHI is perhaps one of the most important aspects of HIPAA because of its direct correlation with patient safety and health.  Imagine, for instance, if the record for a patient’s prescription administration was inaccurate.  In a hospital setting, medical staff may accidentally administer too much of a drug, or too little.  One of the best ways to corroborate data for ePHI is to hash it.  Hashing uses an algorithm on ePHI that produces a unique value that would be extremely unlikely to be produced by a different set of ePHI.

Let’s look at an example.  Assume we had a database that tracks the time medicine was given to a patient. If we input 12:00 PM in the database, the time value ‘12:00 PM’ would hash out to a unique value that could not be arrived at by any other time value like 12:00 AM, or 12:01 PM.  So, if a malicious person accessed the database directly and changed the field for when the time medicine was given to a patient, we could hash out the changed time, and compare it with the hash for 12:00 PM to realize that the database was tampered with.  Additionally, if the malicious person also changed the hash field, we would be able to compare the hash of the changed time to the hash in the time field and realize that the hash is not the result of the time field and thus it has been tampered with. 

To ensure your databases are safe, I suggest the following:

  • Establish database activity monitoring so that you know what was changed, when, and by whom (CyberGRX Control 3.5.2.3); and
  • Ensure you hash database logs and critical database fields to ensure they are genuine (CyberGRX Controls 3.6.1.6, 3.6.2.6, & 3.6.3.6).

Conclusion

The field of HIPAA compliance is very large, and access control, encryption, and data protection only scratch the surface.  However, these security activities are among the most effective security controls that you and your third parties can implement to mitigate risk to your organization and customers. 

Thank you for reading this blog, I hope the information was helpful.  I will be back next month with some more quick wins and actionable security advice. In the meantime, to learn more about CyberGRX controls, read our assessment datasheet here.

KEVIN FORD

CHIEF INFORMATION SECURITY OFFICER

Leave a Reply