Related articles in the Compliance for DevOps Teams series:
- How DevOps Teams can meet NIST compliance standards with automation
- How DevOps Teams Can Prove ISO Compliance with Automation
- How to Prove PCI DSS Compliance with Automation
The healthcare industry has shifted dramatically due to COVID-19. In an effort to minimise the spread of the virus, healthcare providers had to quickly pivot their services to offer telehealth appointments. Organisations were faced with the challenge of securing communication channels to maintain doctor-patient confidentiality and subsequently meeting HIPAA compliance requirements.
Now, discussions are ramping up around digital vaccine passports, vaccination QR codes, and other digital vaccine-tracking methods. Once a method is decided upon, development teams will be called upon to build and ship the software quickly. In order to meet these demands, development teams must have compliance processes in place so they can sprint toward deployment with little delay.
If you’re part of the development to meet these increasingly demanding goals, in increasingly shorter deadlines, keep reading to see how automation can quash security concerns and let you work without interruptions:
What is HIPAA?
Established in 1996, HIPAA aims to protect the privacy and security of sensitive health information. The HIPAA Security Rule protects a subset of information covered by the HIPAA Privacy Rule. Essentially, it focuses on what organisations need to do to protect electronic protected health information (e-PHI).
The Security Rule doesn’t dictate which security measures are used, as long as they are effective. However, they do require three standards of implementation also known as safeguards:
- Administrative Safeguards: A risk analysis is required to determine what security measures are needed for your organisation. This should be an ongoing process.
- Physical Safeguards: Surprise, surprise, this refers to the physical security of the offices where e-PHI may be stored. The security measures must include: facility access and control measures, and workstation and device security.
- Technical Safeguards: This pertains to the technical measures, like firewalls, encruption, and data backup, that are used to keep e-PHI secure. The safeguards must consist of: access controls, audit controls, integrity controls, and transmission security.
HIPAA in action
Healthcare continues to be the industry most targeted by ransomware—accounting for 79% of all reported data breaches in the first 10 months of 2020. And as telemedicine usage ramped up, so did network server cyberattacks, increasing by 35% through October 2020. Here’s a look at some breaches and how they could’ve been circumvented by abiding to the HIPAA rules and safeguards.
Rehoboth McKinley Christian Health Care Services (RMCHCS)
In May 2021, more than 205,000 patients of RMCHCS were notified of attempted data extortion that forced the hospital into electronic health record (HER) downtime. RMCHCS fell victim to an attack launched by Conti, a ransomware hacking group that actively targeted the healthcare industry throughout 2020.
It was later determined that Conti actors exfilterated data, including social security numbers, passports, and patients’ protected health information (PHI), from the system for approximately two weeks from January 21 to Feburary 5. RMCHCS reported they notified law enforcement immediately, but they didn’t start sending out notices until the end of April, which is cause for concern.
Since this was a ransomware attack, there is a clear lack of technical safeguards and regular risk assessments. While RMCHCS did notify patients of the breach, the lack of timeliness further compromises personal security and the integrity of the e-PHI. Patients should have been notified in a timely manner so they could close or alter their charts, update online portal or banking information, or request a new passport.
A ransomware attack crippled Nebraska Medicine in late September 2020, driving it into EHR downtime prodecures and causing system, EHR, and patient portal access issues for a number of its branches.
Attackers first gained access to the system in late August and deployed malware to exfiltrate some patient and employee data. Since the first exploit went undetected, the ransomware attack was launched nearly a month later. This attack secured patient data that included names, contact information, dates of birth, clinical and prescription data, and in some cases, social security numbers.
Since the attack, Nebraska Medicine has upped its network monitoring tools and is continuing to regularly audit its systems for any unauthorised access. These remediation steps, and the fact the attackers were able to access the system for almost a month, exposed the weaknesses in its security strategy—rules #2 and 3 were not followed, and the administrative and technical safeguards were inadequate.
Why this matters to you
Compliance is a journey, not a destination. That’s why everyone needs to play their part to enable continuous compliance that evolves with business objectives. Compliance cannot autumn onto one person—developers aren’t security experts, and security teams aren’t development specialists. SecOps teams are responsible for effectively communicating what developers need to do, and DevOps teams must execute this at the application level.
Following the HIPAA standards, here’s a couple of examples of how everyone contributes to upholding compliance:
- Administrative safeguards: Management is responsible for identifiying and analysing any potential risks and developing appropriate policies. Security teams must carefully assign and maintain access based on the user’s role. Management handles workforce training and management to ensure employees are well-versed in the overall strategy.
- Physical safeguards: This falls on the physical security department. They must ensure that access to the building and server rooms is controlled and monitored.
- Technical safeguards: Development teams must build secure systems that protect the confidententiality and availability of EHR, which includes proper audit controls and implementing backup and recovery routines. Security teams are tasked with assigning electronic access management controls and reviewing audits and logs.
Just like you don’t have to be Gordon Ramsay to cook packaged ramen, you don’t have to be a security expert to build securely. And thankfully, you don’t have to manually build the security system (they don’t scale well, anyways)—solutions that integrate with your CI/CD pipeline already exist. The key is using a solution that provides automation, ensuring that security is being addressed while you focus on building great applications.
Consistent compliance with Trend Micro Cloud One™ – Conformity
Conformity provides cloud best practices to empower cloud builders to innovate in the cloud with confidence. Customers leveraging this service can build secure and compliant cloud architecture and avoid misconfigurations, such as critical identity access management (IAM) for a secure and compliant cloud environment.
Conformity helps organisations understand how HIPAA compliant they are thanks to real-time, automated service scans run against hundreds of compliance, best practice, and configuration cheques. With an endless combination of filters, you receive a complete view of the security and compliance baseline of your infrastructure. If you are alerted of a risky miconfiguration, Conformity provides you with step-by-step guides to fix it yourself, or you can use auto-remediation.
To understand how compliant your cloud environment is to HIPAA, start a free 30-day trial.