Part 1 - Meeting HIPAA Compliance and protecting ePHI with Zero Trust security
The Challenges
While the successful attack on Change Healthcare in July garnered a lot of media attention (and letters to so many of us announcing the breach including the requisite offer of yet another identity-theft-monitoring subscription), the breach wasn’t an abnormal event. According to the September 2024 Healthcare Data Breach Report from The HIPAA Journal, 531 data breaches of 500 or more records have been reported to the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) in the first nine months of the year.
Although the number of attacks has been trending down for the first time since 2020, the fact remains that nearly 50 healthcare organizations are breached every month in the U.S., costing the industry tens of millions of dollars and a loss of public trust and privacy.
In spite of ongoing efforts to comply with the Health Insurance Portability and Accountability Act (HIPAA), the healthcare sectior remains an enticing target for criminals for two main reasons:
Their collection and storage of personally identifiable and protected health information (PII and PHI)
The digital transformation of the industry along with the rise of telehealth and remote patient care arising from the pandemic
The Impact of Web Browsers on Healthcare Security
The web browser has become one of the most critical tools for healthcare providers and consumers – delivering seamless access to electronic health records (EHR), telemedicine platforms, and patient portals from anywhere with an Internet connection. The browser offers mobility and flexibility in how healthcare providers treat patients and achieve positive outcomes, but it also presents a significant cybersecurity risk.
Today’s applications are made up of web-based services, stitched together with a series of integrations and APIs – a decentralized model enabling agility but expanding the attack surface, exploitable by malicious actors.
For example:
HTML smuggling embeds malicious code within web content that can evade traditional security tools by hiding among legitimate JavaScript and HTML5 features.
Phishing uses human tendencies such as trust or curiosity to trick users into clicking on a malicious link, downloading a malicious file, entering their credentials into a fake login page, or conducting other harmful actions.
Ransomware is often delivered through browser exploits that remain unpatched due to user indifference or an overburdened IT staff.
Such highly evasive and adaptive threats use these techniques to overcome traditional security solutions built to protect static infrastructures behind a hardened firewall.
As users increasingly access healthcare tools and data through the browser, healthcare organizations need to modernize their security strategies to accommodate the rise of the browser as today’s most critical healthcare tool. Switching focus from network to browser security ensures last-mile data protection for distributed users accessing ePHI data from a myriad of managed and unmanaged devices.
The HIPAA Security Rule
The HIPAA Security Rule mandates how healthcare organizations should protect ePHI data. The rule, designed to be flexible and scalable, allows covered entities to tailor their security measures to their specific size, complexity, and risk environment and prioritizes technology neutrality. The HIPAA Security Rule requires healthcare organizations to ensure all ePHI data they create, receive, maintain, or transmit is protected against unauthorized access, modification, or loss.
Certain controls that may pertain to browser security include:
access control (§164.312(a)) to ensure only authorized entities can access ePHI data
audit controls (§164.312(b)) to trace and log access
data integrity (§164.312(c)) to prevent authorized alteration of ePHI data
transmission security (§164.312(e)) to ensure the secure transmission of ePHI data over electronic networks (including the public Internet).
Meeting HIPAA compliance isn’t as straightforward as it seems. Organizations need to meet the guidelines without impacting providers’ ability to deliver care to patients. Any restrictions on legitimate behavior could disrupt regular workflows, slow down life-saving care, or inconvenience patients who are now used to digital healthcare experiences.
Finding the intersection between Zero Trust, Browser Security, and HIPAA can be easier than it might seem. Take the next steps:
Download the free Coalfire Product Applicability Guide (PAG) to learn how the Menlo Secure Enterprise Browser solution can help the healthcare industry attain HIPAA compliance in several very specific areas of the HIPAA Security Rule.
Stay tuned for Part 2 of this blog next week to learn how a Zero Trust security approach can provide the framework for effective, non-disruptive HIPAA compliance.
Originally posted on MenloSecurity.com
