Healthcare providers are often left scratching their head on how to satisfy HIPAA requirements. We don’t blame you. The verbiage used sometimes sounds like it was written up by a drunk lawyer with the intent to confuse. They want to give guidelines without being prescriptive. The challenge is that it might be easier if they did just give you a specific list.
Mapping the right security controls to the requirement based on the language used can be tedious. We want to help. Acknowledging that there is more than one way to skin a cat, and that this list is focused on security controls and not administrative or physical safeguards, we’ll try to give you some shortcuts. This is NOT an exhaustive list, but really meant to be a primer and help make getting started on a daunting task easier. We recommend that all healthcare organizations consult with their IT team as well as do audits with a HIPAA compliance specialist.
Security Controls
In compliance we talk about the software or technical solution that satisfies a HIPAA requirement as a security control. We’ll peek at a bunch of requirements, and give you examples of controls that could satisfy those requirements.
§164.312(c)(1)
Standard: Implement policies and procedures to protect electronic protected health information from improper alteration or destruction.
It’s easy to be confused by this regulation as it just says that we need to protect PHI. Security professionals typically reference other standards such as NIST SP 800-53 to help fill in the blanks and understand that boundary protection is essential to guard PHI from public access. The most common form of boundary protection is a firewall.
So, a firewall is what they are after here as the control. We know it doesn’t specifically mention firewall, but it’s pretty much agreed that is the solution that will help give the boundary protection they were after.
Here’s how a firewall helps. They provide the first line of defense between your internal network and the great ugly world of the internet. Any traffic that wants to pass into your network must go through the firewall. The firewall can be configured with instructions so that it knows what to allow in and what to block. Modern firewalls also include important security features that can help identify and stop brute force attacks, malicious attachments, perform logging, and more.
Control Recommended: Properly Configured Business Firewall with Logging
§164.312(a)(1)
Standard: Access control. Implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights as specified in § 164.308(a)(4).
So, what is access control? It’s a system that decides who gets in and who doesn’t. The simplest form of this is typically a username and password. For that system to be practical for HIPAA we also need to be able to revoke access to a user quickly when they leave the organization.
There are a bunch of ways to satisfy this requirement. For ease of administration Microsoft Active Directory is a good choice because it can satisfy multiple requirements at the same time. Access can also be controlled with a carefully managed RMM (remote monitoring and management) solution, or even using local credentials on Windows.
Active Directory allows you to easily create and assign usernames and passwords to all staff and shut off their access quickly when needed.
Control Recommended: Microsoft Active Directory
§164.312(a)(2)(i)
Standard: Unique user identification (Required). Assign a unique name and/or number for identifying and tracking user identity.
Another requirement for access control is that each one of those users must have a unique username and password. That means that generic shared logins like nurse1 or similar are not acceptable.
This is easily centrally managed from Windows Active Directory. It allows you to audit and ensure there are no shared logins in use as well as create unique logins for each authorized individual that needs to access the system.
Control Recommended: Microsoft Active Directory
§164.308(a)(5)(i)
Standard: Security awareness and training. Implement a security awareness and training program for all members of its workforce (including management).
A security awareness training program is just ensuring that your staff gets education about cybersecurity threats and what to look out for. Humans are a big part of your defense. You can invest a lot of time and money into putting quality systems in place to secure PHI, but your staff can easily circumvent them and put you at risk without the right education.
There are a lot of good solutions for training your people out there that would meet this requirement. You could simply hire a trainer to come in on a regular basis. The difficulty here is that it requires your staff to be away from patients during the training. Our clients have had more success with simple online training programs that are easier to fit into their busy day.
Some potential options are KnowBe4, TitaHQ, Cyberbit, and our favorite Phin. We like Phin because it’s easy to set up and get running, allows you to run test phishing campaigns to gauge your teams current level of education, and run automated campaigns that arrive via email. Best of all they are video segments that are typically only about 5 minutes, and then have a few questions to confirm understanding. These bitesize training chunks are a good fit for healthcare because it allows you to fit it into your busy days.
Control Recommended: Phin
§164.308(a)(5)(ii)(D)
Standard: Password management (Addressable). Procedures for creating, changing, and safeguarding passwords.
This one is more straightforward. You need a solution that allows you to create rules for your passwords. For example, they must be so long, and so complex. They must be changed on a regular basis. You should also have in your written policies that your staff should not write down their passwords and leave them laying around.
Again, Microsoft Active Directory solves this problem. It allows you to create and centrally administer policy on your passwords at an organizational level.
Control Recommended: Microsoft Active Directory
§164.308(a)(2)(iii)
Standard: Automatic logoff (Addressable). Implement electronic procedures that terminate an electronic session after a predetermined time of inactivity.
The problem that we’re trying to address here is unattended PHI. Specifically, when your staff is logged into EMR software charting and goes to the next room or patient without logging out. This leaves sensitive data up on the screen an open for public consumption. In a perfect world every user would simply log out as they leave, but people aren’t perfect.
Like all other controls there are multiple ways to solve this problem. Typically, it’s done by implementing screen lock via policy and controlled by either Microsoft Active Directory Group Policy, or another scripting mechanism. When there is no activity by the user for a set amount of time it triggers a screen lock.
Control Recommended: Microsoft Active Directory
§164.308(a)(7)(ii)(A-B)
Standard: Data backup plan (Required). Establish and implement procedures to create and maintain retrievable exact copies of electronic protected health information. (B) Disaster recovery plan (Required). Establish (and implement as needed) procedures to restore any loss of data.
Having a backup and disaster recovery plan is an important part of any smart IT plan, and a requirement of HIPAA. There’s really a whole discussion here about backups, recoverability, where your sensitive data resides, cost of downtime and more. For the sake of this article, we’re just going to focus on having a plan to back up your data and recover if there was an emergency.
The way you backup your data matters because it effects how quickly you’ll be able to get back to operations if there was an outage. If your data is a just a plain copy on external storage it may take quite a while to get operational again. The process would be to get new hardware, install the operating system, install all applications, configure those applications, restore data, and test.
Instead, we recommend using an imaged based backup solution. This will capture the entire server or workstation, and encapsulates all OS, applications, and data. Thus, the restore process is MUCH faster. Get new hardware and restore your image.
To take it even further you can have backup hardware that can replace your servers where the backups are stored. In that scenario you simply go to your backup on the backup server and hit “play”. The same backup server pushes a copy of your data up to secure offsite cloud storage. This allows you to recover quickly in an emergency and satisfy the requirement for a disaster recovery plan.
Backups and disaster recovery are critical in healthcare and should be designed to the needs of your organization. Obviously if you work in an ER, you may need more advanced systems that allow for high availability and instant recovery. Take the time to discuss with your IT team what solution is right for your business so that you can continue to give critical care to patients in need.
Control Recommended: Veeam Backups with Local and Offsite Storage
§164.312(e)(2)(ii)
Standard: Encryption (Addressable). Implement a mechanism to encrypt electronic protected health information whenever deemed appropriate.
Ok, so everybody’s heard about encryption, but what are they wanting in this context? The intent here is to ensure that we’re taking steps so that even if a device with PHI is lost or stolen, the data won’t be easily accessible. Having encryption enabled can essentially render the data unreadable to an unauthorized accessor.
How do we do encryption? The simplest solution that we’ve found to satisfy this requirement is to turn on Microsoft BitLocker. It comes built in on Windows 10 and 11 Pro, and again can be administered centrally by group policy. This will protect any data saved on hard drives of the machines that have it enabled. Many EMR software will have encryption solutions built into their software as well.
Control Recommended: Microsoft BitLocker
§164.312(e)(1)
Standard: Transmission security. Implement technical security measures to guard against unauthorized access to electronic protected health information that is being transmitted over an electronic communications network.
What does this one mean? Since we already have an injunction to encrypt PHI when appropriate, and we are being told to protect transmitted PHI, we must look at how we send patient data. The most common way is via email. They want us to ensure that we’re encrypting any patient data sent via email.
The right solution for your organization will depend on the email solution you use. If your organization is on Office 365 Microsoft Defender is likely a good choice. If your company is on Gmail, we’ve had good luck with Proofpoint. There are MANY email encryption solutions on the market, and virtually all of them will meet the requirements of HIPAA if configured properly.
Control Recommended: Microsoft Defender for Office 365 or Proofpoint for Gmail
§164.308(a)(5)(ii)(A)
Standard: Security reminders (Addressable). Periodic security updates.
Microsoft releases security patches and updates every week. These need to be applied to all workstations and servers in a timely manner to maintain security. With many devices this can get cumbersome to manage on individual machines (although it is possible). We recommend implementing a solution that will allow you to centrally administer all patches and updates as well as test them.
Like most requirements, there are various solutions you could choose to do this. Microsoft has a solution called WSUS (Windows Server Update Services), various software for patch management, or remote monitoring and management solutions will all do the trick.
We recommend a solution called Automate. It allows central patch management where you can schedule a maintenance window, test patches in various stages, and automate the deployment of those patches. It simplifies administration and makes it easy to ensure your network is up to date with protections against the latest vulnerabilities.
Control Recommended: ConnectWise Automate
§164.308(a)(5)(ii)(B)
Standard: Protection from malicious software (Addressable). Procedures for guarding against, detecting, and reporting malicious software.
This one is straightforward. When referring to malicious software they mean viruses. So, they want you to have antivirus on all your systems. Slightly more specific they want an antivirus that can protect, detect, and report any threats.
Again, there are a million anti-virus products out there that will likely solve this requirement. We recommend looking for a solid EDR (endpoint detection and response) software that will really address the requirements laid out and offer a good level of protection. We’ve tried numerous over the years and currently like a product called Huntress.
Control Recommended: Huntress or Comparable EDR
§164.310(d)(2)(i)
Standard: Disposal (Required). Implement policies and procedures to address the final disposition of electronic protected health information, and/or the hardware or electronic media on which it is stored.
The intent of this requirement is to ensure secure disposal of PHI. That means that when a computer or other device with PHI is retired from service there should be some way to ensure that all PHI is destroyed. This is typically done by removing the drive holding the data and throwing it in a giant shredder for this purpose, or performing a government level wipe on the drive that writes 1s and 0s over the drive seven times to ensure all data is erased and unrecoverable. Either option will meet HIPAA requirements. Just make sure that you get a certificate of destruction.
Control Recommended: ShredOS Software or Certified Destruction like Shred-it
Conclusion
HIPAA compliance can be complex and time consuming. We hope that this primer helps you to better understand some of the requirements and the security controls that map to them. There really isn’t a single way to comply, and the recommended solutions aren’t the only ones that will work. They’re simply some that we’ve used with good success for our clients over the years.
It’s important to keep in mind that these rules aren’t static. They may evolve as new technologies and security threats emerge. You may need to adjust your approach over time.
This is NOT COMPREHENSIVE. There is a lot more to think about than the items I’ve outlined here. Our hope is that this helps you get off to a good start and demystifies some of the mapping of requirements. If you have questions, reach out to your IT team or the pros here at i.t.NOW. We love working with healthcare providers and making compliance simple.