With the healthcare industry accounting for 1 out of 5 data breaches at an average cost of $7.13 million USD, how well an organization can maintain Health Insurance Portability and Accountability Act (HIPAA) compliance can mean the difference between recovery and bankruptcy. This makes finding and remediating HIPAA violations a priority for a healthcare provider’s IT team.
This article takes a look at three common violations — failure to perform risk analysis and management, failure to enforce access controls of patient health information, and failure to use encryption to safeguard data — as well as how SecureCloudDB makes compliance easy.
Failure to Perform Risk Analysis and Management
Failure to perform risk analyses on infrastructure is one of the most common HIPAA violations to result in a financial penalty. Without performing regularly scheduled risk analyses, organizations have no view into the infrastructure’s integrity or the ability to determine whether vulnerabilities exist. With an average of 329 days before a healthcare breach is detected and remediated, this can leave the network vulnerable to attack for almost up to a year.
Two recent HIPAA settlements for the failure to perform risk assessment include
- Premera Blue Cross, which agreed to pay $6.85 million USD
- Excellus Health Plan, which agreed to pay $5.1 million USD
How SecureCloudDB Helps: Security Violations, Risk Assessment, and Audit Coverage at a Glance
The Security Violations Report provides a full history of any security rules violations discovered across all accounts and database services, ranking them by severity. This combined with provided remediation steps reduces the amount of time it takes to investigate and fix problems, thereby reducing risk levels.
The Risk Assessment Report is essential to risk management because it allows you to quickly and efficiently determine if data is at risk on the basis of four critical coverage areas:
- Business Continuity (summarizes the degree to which core business functions could be severely impacted if critical systems are taken offline)
- Data Exposure (grades how likely it is that data will be subject to unauthorized access)
- Auditability (ranks the ability of an external system to determine whether or not your system is secure)
- Data Protection (classifies the encryption level of data)
The Audit Coverage Report provides detailed information on any databases and backups that have undergone an audit in the environment, ensuring that databases in need of attention are identified so they can be looked at.
This reporting provides a full representation of an organization's environment and an accurate overview of security posture against out-of-the-box and custom rules to ensure that administrators have a reliable read on risk levels and what actions need to be taken to reduce vulnerabilities.
Failure to Enforce Access Controls of Patient Health Information
Since healthcare organizations have detailed records about patients’ personal, payment, and health information, HIPAA requires that access to this information be limited to authorized individuals only. Whether it’s unauthorized access from a cyber attacker or from a rogue employee, this can create a major HIPAA compliance headache for an organization.
A few HIPAA settlements for the failure to enforce access controls include
- Anthem Inc., which agreed to pay $16 million USD
- Memorial Healthcare System, which agreed to pay $5.5 million USD
How SecureCloudDB Helps: Database Activity and User Privilege Monitoring
Thinking that the system is locked down and secure isn’t enough. Organizations need to assume that their environment is compromised at all times and look for assurance that access controls are up to date and that cloud databases are protected at all times.
SecureCloudDB's Database Activity Monitoring helps organizations identify anomalous behavior by monitoring Insert, Modify, or Delete actions. Additionally, the User Assessment Report provides an overview of active users across a database environment and the permissions contained within their database account.
Failure to Use Encryption to Safeguard Data
While encryption is not mandatory under HIPAA, it is required that data be secured using an alternative means. If a data breach occurs and unencrypted data is leaked, it can be used against a healthcare organization and result in higher penalties.
Recent HIPAA settlements for breaches that were made worse by encryption failures include
- Children’s Medical Center of Dallas, which agreed to pay $3.2 million USD
- CHCS of the Archdiocese of Philadelphia, which agreed to pay $650,000 USD
How SecureCloudDB Helps: Encryption Status Reporting
Best practices underscore the importance of encrypting data at rest and in transport as well as endpoints. Out of the box, SecureCloudDB ships with an Encryption Status Report for both databases and backups to help organizations verify encryption via a point-in-time snapshot across all cloud accounts. Additionally, organizations can apply standard or set up custom SecureCloudDB policies and notifications to receive alerts anytime encryption is turned off for a database or backup in the environment.
SecureCloudDB’s robust analysis and reporting capabilities help ensure that an organization’s cloud database environment is compliant with HIPAA regulations. Ultimately, this helps avoid costly penalties, remediation costs, and loss of customer trust and confidence.
Today we provide support for AWS cloud database services (others coming soon) and coverage for traditional databases hosted on EC2 instances as well as providing monitoring and tracking before, during, and after cloud migrations.
60% of small to medium organizations in the healthcare industry will be breached; 90% will be bankrupt and out of business within a year after the incident. Download Keeping Healthcare Data Safe in the Cloud, which discusses the risks and how to protect against them.