Page 57 - Cyber Defense eMagazine forJune 2021
P. 57
Data breaches can lead to huge financial losses for the healthcare industry, as well as the consequences
associated with compromised patient data. While dealing with the large-scale disruption and strain
caused by COVID-19, healthcare providers have also had to face heightened cyber threats, including
ransomware, malware, and phishing attacks. Cybercriminals have taken advantage of the rapid scaleup
of telehealth and remote learning to wreak maximum havoc on an extremely strained healthcare system
and fatigued healthcare professionals.
In response, the HHS Office for Civil Rights (OCR) has released guidance standards relating to telehealth
remote communications, emphasizing its discretion at enforcing Health Insurance Portability and
Accountability Act (HIPAA) violation penalties on the provision of telehealth services during the pandemic.
Following HIPAA Guidelines Is Not Sufficient
Maintaining the integrity of protected health information (PHI) is imperative and the past year has
highlighted how vital it is that healthcare organizations implement and maintain effective and robust
cybersecurity measures. HIPAA legislation, passed by Congress in 1996, establishes the guidelines for
protecting sensitive patient data, describing the key physical, technical and administrative safeguards
that an organization should have in place. Noncompliance with HIPAA regulations can lead to hefty fines
and other significant consequences for Covered Entities.
HIPAA legislation contains two key rules that work in tandem to maintain the integrity of patient data - the
Privacy Rule and the Security Rule. The Privacy Rule focuses on an individual's right to protect the
confidentiality of their information in any form, while the Security Rule is concerned solely with the
protection of electronic PHI. This means that the Security Rule covers the implementation of effective
cybersecurity measures, however, the guidance that it provides is open to interpretation.
Healthcare Entities and their Business Associates are required to abide by the necessary HIPAA
guidelines to ensure regulatory compliance, however, as the cyber threat landscape rapidly evolves,
compliance with established HIPAA laws may no longer be enough.
The healthcare industry is expanding at a rapid pace, and so too are the regulatory and compliance
requirements. After navigating through the intricacies of HIPAA compliance, healthcare organizations
may assume that their infrastructure is secure against cyberattacks, but this is simply not the case. Full
HIPAA compliance does not guarantee adequate cybersecurity and further measures should not be
overlooked. In order to create a safe and secure infrastructure for the collection and storage of PHI,
healthcare organizations must focus on the synergistic relationship between HIPAA compliance and
Cybersecurity, exploring how the two concepts can support and empower one another.
Why Does HIPAA Need Cybersecurity?
As HIPAA regulations predate emerging cybersecurity threats, we must consider how they address the
risk of a data breach. HIPAA legislation does not offer healthcare providers a comprehensive plan
detailing how compliance should be achieved, this means that the level of compliance can vary greatly
between organizations. Without paying close attention to security risks, organizations can leave
themselves vulnerable to attack.
Cyber Defense eMagazine – June 2021 Edition 57
Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.
