5 HIPAA Cybersecurity Requirements for CISOs

Because HIPAA Compliance Pays Off

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) established privacy standards in the U.S. to protect sensitive data, from your social security number to the exact date and time of your tonsillectomy. Today, lawmakers have developed new HIPAA cybersecurity requirements to protect patients from the ongoing threat of cyberattacks and curb the steep rise in information theft — and non-compliance comes with a hefty price tag.

Link to Download Your Free HIPAA Cybersecurity Checklist

What CISOs Need to Know about HIPAA Cybersecurity Requirements

A record-setting 1,862 data breaches were reported worldwide last year, up 68% from the previous year. So it’s no wonder companies are being held accountable for the data they collect and store. HIPAA compliance requires hospitals and healthcare organizations to adhere to a handful of different rules to protect sensitive patient information.

1. Privacy

Patients have the right to keep their protected health information (PHI) private. PHI can encompass a variety of information on sensitive topics like diagnoses, appointments, and procedures.

2. Security

Organizations must secure PHI from unauthorized use and distribution. Think insurance information, names, addresses, and the like.

3. Enforcement

Entities protecting PHI must enforce security protocols at all times and initiate investigations in the event of a data breach. The best way to demonstrate this is to create and follow data protection protocols — and keep impeccable records in the event of an attack.

4. Breach Notification

Entities must inform appropriate local and national authorities should a breach occur. Data breach reports must note who contacted whom and what information was shared.

5. Omnibus

The Omnibus Rule updated HIPAA with cybersecurity in mind (thanks to the HITECH Act). The rule clearly states that organizations are liable for their compliance with HIPAA (more below).

How to Meet HIPAA Compliance Requirements

With the addition of the HITECH Act to HIPAA, healthcare organizations need to be much more vigilant about maintaining their HIPAA compliance. There are several ways healthcare cybersecurity professionals can stay on top of meeting HIPAA requirements.

Compile a Comprehensive Risk Assessment

It pays to be prepared. Get started by combing through your company’s data collection, processing, and storage methods with your IT team to identify risk factors and exploitable gaps. Use the Office of Civil Rights (OCR) Audit Protocol designed for HIPAA compliance as your road map.

Address Risk Factors, and Amend Compliance Gaps

Having completed an audit, prioritize meeting HIPAA’s compliance criteria. Keep updated records on the measures you’re taking and the lengths you’re going to for improvement. In the event of a future cybersecurity breach, you may need to prove in writing that you made every effort possible to protect your data.

Once Everything is in Order, Develop a Process to Keep it That Way

Automated reporting will alert you to any deviations in compliance. Schedule regular training sessions with employees to keep everyone in the know about the latest requirements. Make it a habit to look for ways to improve your defenses, whether that means overhauling your process or just trying out new software. Stagnation is your enemy.

HIPAA Violations Could Cost You Big Time

We know protecting your clients’ information is motivation enough to take cybersecurity seriously, but take a moment to consider how a data breach will affect your organization’s bottom line, especially if you’re out of compliance. Violations are broken down into tiers and, depending on how many records are at risk, the costs are staggering.

Below is a summary of what it could cost a business per record affected if found non-compliant.

Tier 1 Violation — Lack of Knowledge

An entity is reasonably HIPAA compliant. However, it was unaware of the violation and could not have easily avoided it.

Penalty: $100 – $50,000 per record

Tier 2 Violation — Reasonable Cause

An entity is not quite considered neglectful of HIPAA compliance.

Penalty: $1,000 – $50,000 per record

Tier 3 — Willful Neglect

An entity is found neglectful of HIPAA compliance; however, it corrects the violations within a stated time period.

Penalty: $10,000 – $50,000 per record.

Tier 4 — Willful Neglect (Not Corrected)

An entity is neglectful of HIPAA compliance and does not correct its violations.

Penalty: $50,000 per record, up to an annual maximum of $1.5 million.

Get to Work

Follow cutting-edge cybersecurity best practices to prevent data breaches and prepare for the worst-case scenarios. Not only does protecting your data pay off in reputation and preserve trust from your customers — it saves a bundle in legal expenses. If all of that has you sweating, make sure your organization is prepared with cyberattack simulations and cyber wargames to gain some peace of mind.

Want more information on healthcare cybersecurity? Check out these other helpful resources:

Learn how to take your approach to malware from 2002 to 2022.
Understand how much money it takes for hospitals to truly recover from a cyberattack. (Spoiler: It’s in the million$$$.)
Weigh the pros and cons of hospitals negotiating with cyberterrorists after a ransomware attack.