The patient data hacks of recent years are stories of deviant employees and careless contractors, poorly secured servers, and insufficient encryption. Many of these crises have been entirely preventable.
Unfortunately, it’s no longer just a matter of someone seeing the data without permission. It’s a matter of professional hackers out to steal information in bulk to sell on the black market for hundreds of dollars per profile. IT security experts say health data fetches a much higher price in criminal markets than mere credit card or Social Security information.
If a data breach affects more than 500 people, the health care provider in question not only has to notify DHHS, which may issue hefty fines, it also has to alert the media. A large breach could easily signal the embarassing end of an otherwise resilient practice.
Under the latest rules, health care providers are responsible for anything their hosting company does in violation of HIPAA. Whether you need to host a website for a one-doc shop or a patient management platform for a large hospital complex, HIPAA should guide your choice of vendor. Here are the most important security solutions data managers need to look for when shopping for a HIPAA compliant hosting company.
Your web host must offer comprehensive firewall coverage among its HIPAA compliant solutions for all software, hardware, and applications.
Under HIPAA, all critical points of access must be managed by a system of multifactor authentication. Two-factor authentication means users seeking access need both (A) a tangible object, like a smart card or USB token, and (B) intangible information only authorized users know, such as a PIN number. In other words, when it comes to accessing patient data, passwords alone are not enough.
All important health records need to be backed up, and all backups must be encrypted and stored both on-site and off-site. In general, sensitive data needs to be both archived and accessible. You have to be able to restore the information, but you also must be able to permanently dispose of it at a defined point. Backup data should be recorded in the HIPAA-compliant ANSI ASC X12N format.
Encryption is one of the most important HIPAA compliant requirements. The American Medical Association says encryption is essential for all:
- Practice and patient management systems
- Electronic medical records (EMRs)
- Medical billing systems
- Claims and payment appeals
- Scanned copies of communications
- Emails referencing patient data
- Backups and archives
SSL stands for Secure Sockets Layer. You need SSL certificates for all the pages in your domains and subdomains. With SSL, end users can view websites or apps on a secure connection and exchange information in privacy without downloading any special software. Without SSL HIPAA compliant solutions, anyone can see information in transit. SSL services are a no-brainer feature of HIPAA compliant hosting plans.
Virtual Private Network (VPN)
A Virtual Private Network (VPN) is often likened to a tunnel through the Internet. Using a VPN, patients, for instance, who log in to view their own information from an unsecured Wi-Fi connection can connect to your organization’s network securely from wherever they are. VPN HIPAA compliant solutions can be used to connect branch and home offices, remote clinicians, patients, and more.
Old-school VPNs required participating devices to have special software, but now health care organizations are using the SSL-secured VPN as their remote access solution. Because the SSL is part of the user’s web browser, anyone can access the VPN from any device. VPNs aren’t failsafe, however. They should always be equipped with security features like encryption and two-factor authentication.
Business Associate Agreement
The Business Associate Agreement (BAA) contract is one of the most important HIPAA compliant requirements. You and your web host will need to sign a BAA before proceeding under new Omnibus/HITECH regulations. Identify a hosting company that knows about BAAs and is willing to sign one. Separate BAAs must also be signed by any subcontractors the host hires that could access your patient data.
In addition to the above items, look for a HIPAA compliant hosting company with well-established action protocols in the event of a data breach or inappropriate exposure. Ask if they can pass an audit by the Office of Civil Rights. Better yet, have they already? Web hosts also need robust physical security for their servers, which means data centers with on-site employees and building security systems in place.
The stakes are high when it comes to health care data security. Be careful to utilize only vendors that can prove they are truly HIPAA-compliant. Since it’s much cheaper to protect patient data in the first place than to deal with a breach, choose a web host based on the comprehensive nature of its risk-cutting features. You get what you pay for when it comes to health IT security.