Areas of Neglect That Could Be Undermining Your HIPAA Posture 

Updated on June 3, 2024

HIPAA compliance is a serious concern for every healthcare provider and business associate that comes into contact with patents’ personal health information (PHI). Failure to comply brings significant consequences, including fines, penalties, and close scrutiny by the HHS and the OCR. Poor HIPAA compliance also damages patient trust, potentially driving them elsewhere, and harms your reputation, causing partners to avoid working with you. 

Despite the clear and present danger of HIPAA non-compliance, its incidence is increasing, as indicated by the rising number of data breaches. With one exception, the number of healthcare breaches has grown every year since 2009, with 2023 seeing the unfortunate record of an average of 373,788 healthcare records breached every day. While it’s impossible to prevent every chance of a breach, solid HIPAA compliance is one of the best ways to keep the risk as low as possible. 

These breaches have occurred in healthcare organizations of all sizes, including very large ones. It’s not enough to have sufficient resources to dedicate to HIPAA compliance; healthcare providers also need to know the right ways to address it. 

Is your organization as compliant as you think it is? Here are a few issues that often secretly undermine your HIPAA compliance, going unnoticed until they are exploited. 

Weak Incident Detection And Reporting Processes

Your IT networks are bristling with firewalls, you regularly review your access permissions, and your IT teams run penetration testing on a regular basis. It’s easy to feel that your HIPAA compliance is watertight. But this protection can be undone in a moment if you don’t have an effective monitoring system. 

Precious hours, days, or months could tick by without you being aware of vulnerabilities or even an open breach. Continuous cyber monitoring enables security teams to detect, report, and respond to cyber threats in real time, thereby limiting damage and maintaining a strong HIPAA compliance posture. 

AgileBlue, a Security Information and Event Management (SIEM) solution, delivers 24/7 monitoring and immediate alerts for network traffic, system logs, and user behaviors, so you can proactively identify and mitigate vulnerabilities.  

Blindness To Partner Adherence

Healthcare business associates are governed by the same HIPAA rules as healthcare providers, but it’s a mistake to assume that they adhere to the same level of compliance. Additionally, this only applies to direct third-party partners; fourth-party associates aren’t necessarily obligated to comply with HIPAA regulations. 

Many healthcare providers might not even know who their third or fourth parties are, let alone which data is shared with them, partner risk almost unseen. This was emphasized in 2023, when telehealth startup Cerebral reported a data breach that was caused by improper data sharing with third-party advertisers through tracking pixels. 

For tech companies, closing this HIPAA vulnerability requires careful curation of a Software Bill of Materials (SBOM), which helps reveal where your data could end up. It’s also necessary to raise your level of due diligence when investigating partners, and pay attention to contractual requirements for third parties to share information about their own partners.

Emails That Open The Door To Breaches

Email is easy to use and familiar even for older and tech-hesitant patients. As a result, it’s frequently the mode of choice for routine communication like appointment reminders, information about follow-up care, or updates about new services on offer. 

But email’s familiarity can cause it to fly under the radar when checking for HIPAA compliance. Healthcare emails often contain PHI, and it’s not unusual for an email to be sent to the wrong address, and/or for the sender to forget to turn on email encryption. Analysis of the OCR’s HIPAA breach statistics for 2023 showed that 147 cases involved email, indicating the threat of email-related vulnerabilities. 

Using Paubox, which applies TLS encryption to all emails by default, helps prevent a human mistake from dragging down your HIPAA compliance. While other healthcare email services require patients to log into a portal to read their messages, Paubox removes this friction from the process, as it ensures that all email content is encrypted, all the way to the recipient’s inbox.

Poor Credential Management 

Managing access permissions is fundamental for HIPAA compliance, but it often goes overlooked. Many employees use weak passwords or default login settings; multi-factor authentication (MFA) is far from universal; and few systems are configured to validate identity claims. 

Some systems have access points with hard-coded credentials that allow attackers to bypass authentication entirely, and employees may receive permissions that go beyond their level of need. It’s vital to run regular sweeps checking for hard-coded credentials and disabling default login settings that allow users to continue with an automatically-generated weak username and password. 

Employees need robust education about password and MFA protocols, and IT managers should update access permissions frequently, applying role-based access control (RBAC) and the least privilege principle. 

Devices That Go Overlooked

Healthcare organizations are made up of an enormous number of interconnected systems and devices, and that number is only increasing with the proliferation of smart monitoring devices. This creates a massive potential for blind spots, security gaps, and misconfigurations, with many connected devices going unnoticed with default or zero login protection. 

According to research published in the Medical and Biological Engineering and Computing journal (MBEC), electronic health records, wireless infusion pumps, endoscope cameras, and radiology information systems are the most vulnerable points on any healthcare system. 

Healthcare providers can use a tool like Claroty to discover undetected devices and check on their security settings. 

What You Don’t Know Can Hurt You

HIPAA compliance is the best defense against data breaches, but it’s also a sprawling and complex challenge. Some of the biggest vulnerabilities can go undetected in plain sight. By stepping back and taking a careful overview of every possible area of risk, your healthcare organization can discover and close gaps in your HIPAA posture. 

14556571 1295515490473217 259386398988773604 o

The Editorial Team at Healthcare Business Today is made up of skilled healthcare writers and experts, led by our managing editor, Daniel Casciato, who has over 25 years of experience in healthcare writing. Since 1998, we have produced compelling and informative content for numerous publications, establishing ourselves as a trusted resource for health and wellness information. We offer readers access to fresh health, medicine, science, and technology developments and the latest in patient news, emphasizing how these developments affect our lives.