Within the HIPAA Security Rule are Administrative, Physical, and Technical Safeguards. These safeguards are as important to understand as they are to implement, so let’s get some clarifications for the non-initiated.

Many healthcare entities and their business associates are routinely challenged with understanding and successfully implementing the technical safeguards defined by the HIPAA Security Rule. It’s been decades since HIPAA was signed into law and over a decade since the HITECH update, and since that time, healthcare facility operations have evolved to rely on software and technology to a much greater degree. Larger, faster networks, more complex software, and more instances of software inside a healthcare facility’s network seem to be the norm. As a result, healthcare IT departments have had to become smarter, and their practices have had to evolve.

According to a report published in late 2020, most of the healthcare entities and business associates the Office for Civil Rights (OCR) reviewed during Phase Two Audits were not compliant. The Phase Two Audits are designed to assess whether covered entities and their business associates are complying with the HIPAA Privacy, Security and Breach Notification Rule. The U.S. Department of Health & Human Services (HHS) provides guidance on the three aforementioned areas of the rule in addition to case examples and their reports to Congress on their investigation results.

HHS updated HIPAA and HITECH in 2013 when they finalized the Omnibus Rule. This rule contains edits and updates to all the previously passed rules. It is a single, exhaustive document that details all the requirements complying with HIPAA and HITECH. Consequently, business associates of healthcare entities are directly liable for any non-compliance and any fines associated with the non-compliance.

Attackers are keenly aware that many healthcare organizations struggle in understanding their risks and how to (Read more...)