HIPAA Security Rule: What Is It and Why Does It Matter?
The Department of Health and Human Services Office for Civil Rights recently reminded HIPAA-covered entities to set appropriate safeguards to ensure the integrity and security of the electronic protected health information (ePHI) of patients. In the July 2018 Cybersecurity Newsletter, the OCR published guidelines that health organizations can use to reduce or eliminate the risks of security breaches on scrapped or decommissioned devices.
In addition, the OCR stressed the consequences of noncompliance. Health-related organizations who fail to implement the necessary safeguards may face fines, civil penalties, and even the loss of their business.
What Is the Security Rule?
The Health Insurance Portability and Accountability Act (HIPAA) sets data privacy and security standards for the protection of medical information. Its security rule requires HIPAA-covered entities to set technical, physical, and administrative safeguards for ePHI.
HIPAA rules cover all devices and media used for the storage of ePHI. They include desktops, laptops, mobile phones, tablets, servers, CDs, and backup tapes. Before any of these gadgets could be scrapped or resold, health organizations are required to erase patients’ ePHI permanently.
Aside from the aforementioned devices, companies should also be cautious of other electronic devices, including printers, fax machines, and photocopiers. These may be equipped with internal hard drives. Hence, they may be capable of storing ePHI.
Why Does It Matter?
Security breaches are becoming increasingly common these days. Not to mention, cybercriminals are growing more and more cunning with their schemes. As you probably already know, electronic waste has turned into a global problem over the years. E-waste poses a growing risk to the environment and human health. Apart from that, cybercriminals are taking advantage of equipment that wasn’t disposed of properly. They are extracting data and using it to launch attacks on individuals and businesses alike.
No one knows for sure how a Ghanaian resident once acquired sensitive information about US Congressman Robert Wexler—but for some reason, it did happen. The Ghanaian attempted to extort money from the congressman, but his efforts ended in vain. When the US secret service investigated the matter, they found that the data breach had little to do with high-tech espionage, and the improper disposal of junk computers in Ghana had everything to do with it.
Today, cybercriminals are taking advantage of hardware that isn’t disposed of properly. That gives you all the more reason to comply with HIPAA rules.
How Can You Protect Your Organization?
To reduce the risks of data breaches, you can start by conducting a risk analysis. In the same Cybersecurity Newsletter, OCR published a few guide questions to help you assess your organization’s strengths and vulnerabilities.
Basically, you need to determine the kind of data that is maintained by the organization and where you store such important information. Find out if isolated asset recovery-controlled devices have been identified as well as isolated. Check if a certified provider is assigned to handle data destruction. Note how the organization intends to store devices that are intended to be destroyed. More importantly, make sure that your data disposal plan is up to date. These are some of the things you need to consider when you’re trying to protect your data from breaches.
When creating policies and procedures for decommissioning devices, the OCR suggests that you identify the best disposal methods for hardware, software, and your data.
As mentioned, you must destroy confidential information on your hardware before replacing them with new ones. You must make sure that the ePHI on electronic devices cannot be accessed, replicated, or reused. You should also ensure that your inventories reflect the status of devices that have been decommissioned or are scheduled for decommissioning. As for reusable media such as DVDs and USB flash drives, you need to remove ePHI stored in these devices before using them to record new data.
The number of HIPAA settlements and fines has been gradually increasing in the past few years. Health organizations who’ve had to pay fines had either failed to perform risk assessments, implement strong firewalls, etc. As for those who’ve experienced data breaches, organizations had to pay an average of $5.9 million. That may be a small sum for those who earn millions or billions of dollars, but it could damage one crucial factor in business—consumers’ trust. Hence, comply with the HIPAA security rules. After all, it’s for everyone’s benefit.
For more information about HIPAA compliance and data destruction, please contact us. We will be happy to assist you with all your e-waste needs.