Download your IT & Cybersecurity Buying Guide just in time for Cybersecurity Awareness Month

HIPAA Compliance Is Not Security From A Cyber Attack

Blog Home » Cyber Security » HIPAA Compliance Is Not Security From A Cyber Attack


Hackers love healthcare; they have realized this industry is an easy target with a big payoff. Technological advances in the way we address medical care have resulted in an overwhelming amount of electronic data – in results, reports, and general patient information. Medical equipment is continually evolving and providing the world with cutting edge methods – and that data is stored electronically. The need to link that data to a patient can mean finding a quick fix solution that may overlook addressing HIPAA in the process. This leaves countless files in danger of a breach if not protected properly. Read on to learn more about:

Does HIPAA Compliance Mean Your Business is Secure?

Unfortunately, no. Compliance does not equal cybersecurity. If your organization is following all of the rules that are created by both federal and statewide regulations, you are likely compliant to those respective requirements and may fall under the false impression that you are therefore in a solid and secure place with regard to cybersecurity. You can be 100% HIPAA compliant and still be 100% exposed to a cyber attack. Healthcare companies are at higher risk for an attack due to the sensitive nature, and the value of patient records. Hackers held patient files at a Battle Creek doctor’s office for ransom. The office didn’t pay. It closed.


What Is HIPAA and Who Must Be Compliant?

Healthcare is one of those industries that hackers simply cannot resist. HIPAA (Health Insurance Portability and Accountability Act) was formed in 1996 to improve the efficiency and effectiveness of the healthcare system. One of its primary directives is to protect patient health information. The HIPAA Rules apply to two groups: covered entities and business associates. A covered entity is a health plan, health care clearinghouse or health care provider who conducts standard health care transactions electronically. Examples of covered entities are:

  • Doctors

  • Health insurance companies

  • Company health plans

A business associate is a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity. Examples of business associates (whose services involve access to PHI) are:

  • CPA

  • Attorney

  • IT Providers

If you are unsure whether you are a covered entity or business associate, you can learn more from the U.S. Department of Health & Human Services.


The HIPAA Privacy Rule

The Standards for Privacy of Individually Identifiable Health Information or HIPAA Privacy Rule provides federal protections for personal health information and gives patients rights to their own protected health information (PHI). It permits the disclosure of PHI needed for patient care and other important purposes, applies to ALL healthcare providers across electronic, paper, and oral forms of communication.

The Privacy Rule establishes administrative responsibilities, written agreements between covered entities and business associates, privacy policies and procedures, and employer responsibilities to train workforce members and implement requirements regarding their use and disclosure of PHI.

Privacy Rule Examples:

  • Train all employees on its privacy policies and procedures

  • Properly dispose of documents containing protected health information

  • Secure medical records with lock and key or pass code

  • Create procedure for individuals to know to whom they can submit a complaint about a covered entity’s compliance with the Privacy Rule

The HIPAA Security Rule

The Security Standards for the Protection of Electronic Protected Health Information or HIPAA Security Rule establishes a national set of security standards for protecting certain health information that is held or transferred in electronic form. It requires covered entities, business associates, and their subcontractors to become HIPAA compliant by implementing safeguards to protect electronic protected health information (ePHI) that is created, received, or maintained.

The Security Rule establishes security standards for ePHI, protections for health information held or transmitted in electronic form, administrative, physical, and technical safeguards to secure ePHI, and reasonable requirements to safeguard PHI in all forms.

Security Rule Examples:

  • Designate a security officer who is responsible for compliance

  • Create policies and procedures that explain proper use of workstations and electronic media

  • Ensure all employees have unique passwords

  • Limit physical access to covered entity’s facilities

Most violations of the HIPAA Security Rule result from businesses not following policies and procedures to safeguard ePHI, thus preventing them from becoming HIPAA compliant.


How Compliance and Cybersecurity Work Together to Protect Your Business

HIPAA is more than just regulation, it’s about patient safety and your peace of mind. HIPAA compliance paired with improved cybersecurity measures can provide a business with a solid foundation to build upon and grow securely, rather than recover and repair from chaotically. You can:

While many Healthcare organizations take HIPAA seriously and do their best to protect PHI, the vast majority believe that compliance is something that only larger organizations need to worry about. The reality is, small businesses are becoming more of a target because they ARE small. Large healthcare organizations generally have more resources to leverage for cybersecurity protections that smaller companies might not have. This includes having a bigger budget and usually a dedicated IT staff on hand. There are different tools you can leverage to better safeguard your small business from a cyber attack.

Despite the picture many businesses have of a hacker being a sophisticated person or group tirelessly trying to access a system, in truth hackers are lazy. They are looking for the path of least resistance. While infiltrating one large organization might bring a huge payday, it’s easier to attack the many smaller companies with less security in place because the likelihood of getting in is higher. Despite hackers arguing over the ethical merits of targeting healthcare, some have admitted that “hospitals make it too easy of a target to ignore”.


Check out related blog posts

Employees of the Future: How to Secure Your New Hybrid Workforce

Employees of the Future: How to Secure Your New Hybrid Workforce

Pivot! (Again). It doesn’t seem that COVID-19 is going away any time soon, and businesses are beginning to make working from home more than a...

You Clicked the Link. Now What?
How to Respond to a Cyber Attack

You Clicked the Link. Now What? How to Respond to a Cyber Attack

![You_Clicked_The_Link_Now_What_Image.png](/uploads/You_Clicked_The_Link_Now_What_Image.png) The COVID-19 situation has inspired a new normal: working from home. We’ve traded corner offices for a spot at the dining room table, business...

Work From Home: Security Best Practices

Work From Home: Security Best Practices

![Work-from-Home-Security-Best-Practices.png](/uploads/Work-from-Home-Security-Best-Practices.png) While working from home does come with its perks, there are many new cybersecurity risks created when employees make the transition from a trusted...

Ready to get started?
Engage with your new tech provider today
Find A Provider