Tag: Marty Puranik

What is Considered a HIPAA Breach in 2019?

By Marty Puranik, co-founder, Atlantic.Net.

Manoj â??Martyâ? Puranik
Marty Puranik

The Health Insurance Portability and Accountability Act (HIPAA), a bill passed initially in 1996, consists of a set of rules and regulations that protect the privacy and security of health information and provide individuals with certain rights to their health information.

Health and health-related entities play a pivotal role in protecting the privacy and security of sensitive data, so it is important that those entities are perfectly aware of what constitutes a breach under HIPAA terms, in addition to knowing what the actual regulations say and are all about. Check below some examples of HIPAA breaches.

Foreword: not all data breaches are HIPAA breaches

It is common for someone to think that, under HIPAA, any data breach constitutes an immediate breach of HIPAA regulations. However, this is not always the case, and the reason for that is quite simple.

Breaches are something relatively common and that happens in virtually all industries. Even tech giants fall victim to breaches caused by attacks so, even if a company holds strongly to each and every HIPAA regulation, it is impossible to guarantee 100% security, which is especially true considering how fast technology and hackers evolve.

Nathan Little, from Gillware Digital Forensics, has shared valuable knowledge about HIPAA breaches and why the data covered by HIPAA is so desirable for cybercriminals.

Unauthorized access to healthcare records

As one might expect, one of the most recorded types of data breaches has to do with one of HIPAA’s core goals, which is the protection of healthcare records. Usually committed by employees, this breach can often result in termination and even in criminal charges for the offender. While relatively uncommon, the entity can also be fined.

Lack of PHI access controls

Protected Health Information (PHI) is the name for any information about health status, provision of health care, or payment for health care that is created or collected by a health or health-related entity and is also a central point of HIPAA.

In fact, HIPAA clearly establishes, in its HIPAA Security Rules, that entities and their partners (i.e., other entities they communicate PHI and other sensitive data with) need to ensure that PHI can only be accessed by authorized individuals. This is a common breach and is often met with high financial fines.

Failure to encrypt (or similar protection) PHI

One of the most effective ways to ensure PHI privacy and safety is to use encryption on all stages of PHI usage, including offline storage, online storage, and data transmission over a network. Encryption is very safe – in fact, so safe that breaches of encrypted PHI do not have to be reported (unless the decryption key is also stolen or if the data is re-encrypted, a situation in which the responsible entity would also lose access to that data).

While HIPAA does not enforce the use of encryption, it is by far the best option to store and transmit PHI. If it is not used, an alternative kind of protection needs to be used –  otherwise, PHI data breaches will surely happen.

Continue Reading

What Is Your HIPAA Data Backup Plan?

By Marty Puranik, co-founder and CEO, Atlantic.Net.

Marty Puranik
Marty Puranik

The data backup plan was established as a mandatory stage of HIPAA compliance to create, implement and maintain a set of rules and procedures for healthcare organizations to follow when managing the backup and restore requirements of electronic protected health information (ePHI). A data backup plan is part of the HIPAA Security Rule and encompasses wider contingency planning processes that any chosen business associate (BA) or managed service provider (MSP) must be able to demonstrate a compliant backup service capable of backing up and restoring exact copies of healthcare data when required.

The data backup plan should be integrated within a wider contingency plan because it is designed as a failsafe for the protection of patient data. Most MSPs will already be offering disaster recovery technology capable of moving over data and services to a secondary location almost instantaneously. But backups are often considered the last line of defense in the event of a catastrophic system failure. It allows for data restoration capability to be available in the worst possible scenarios.

Continue Reading