Strict HIPAA Compliance: Playing Defense Against Cyberattacks

Updated on July 30, 2017


Adam Stern
As cyber-threats grow in both number and intensity, HIPAA compliance can’t be regarded as a check-off item.  A recent study by the law firm Baker Hostetler revealed that more healthcare data breaches occurred during calendar 2015 than any other type of data security event.  The report affirms previous analyses indicating that healthcare is consistently one of the sectors most affected by privacy and security violations.

Violations of HIPAA, the Health Insurance Portability and Accountability Act of 1996, are especially difficult to detect and potentially calamitous because of that difficulty.  If a single Social Security number leaves a healthcare provider’s facility, the loss can be catastrophic to the holder of that Social Security number.  Almost by definition, data losses by smaller providers don’t hit the radar, or the headlines, but that doesn’t diminish their power to do real damage.  In the case of that Social Security breach, every patient that provider serves is now a victim as well.  And smaller organizations have both a harder time being secure and being aware of their security situation. 

Every upstream provider that handles data needs to sign a BAA — a business associate agreement – in order to be in the HIPAA food chain.  A BAA under HIPAA is a sort of promissory note that the IT provider will adhere to the HIPAA law.  But a BAA doesn’t compel compliance or insulate providers from liability or responsibility — that’s why healthcare providers looking for IT support need to exercise extraordinary due diligence.  As of right now, there’s a persistent lack of clarity around HIPAA, and nothing has been tested in court.  The fact is, “HIPAA compliance” comes with disturbingly few obligations.  Perhaps owing to whatever legislative sausage-making gave birth to the law, HIPAA offers no guidance on how to follow it.

That said, healthcare providers are still subject to the full extent of the HIPAA law.  The prudent strategy is to partner with a technology vendor that the healthcare provider can validate as fully engaged in HIPAA protocols. 

For growing medical practices and small-to-midsize hospitals, it’s essential that practice applications and data be placed in a HIPAA-compliant IT environment.  HIPAA hosting plans are designed expressly to deliver maximum security and the highest levels of patient data protection, deploying technologies such as clustered firewalls and intrusion detection and prevention software (IDPS), which is capable of detecting threats to sensitive patient data that even the best firewall won’t catch. 

And as cyber threats become ever more insidious, those in healthcare are looking to implement HIPAA-compliant systems that go well beyond basic malware and antivirus “solutions.”  It’s generally smart to install Data Loss Prevention (DLP), the standard software methodology to determine if a breach has occurred, but DLP isn’t a panacea and it can monitor only so much. Although DLP may make life easier, it’s certainly not required of HIPAA compliance.

Let’s take a step back for a moment and get a sense of the environment in which HIPAA compliance can be most effective – that is, where compliance (which consists of doing the right, legally mandated thing) is also one non-trivial component of a medical organization’s cybersecurity strategy. 

The market is now awash in Infrastructure as a Service (IaaS) tools and technologies, empowering healthcare organizations that may lack traditional IT resources to still benefit from remarkably robust products and platforms. Savvy virtualization providers have already done the heavy lifting for some healthcare organizations, with fully HIPAA-compliant solutions that they can deploy largely on their own.  Indeed, IaaS providers are ideally positioned to enable healthcare organizations to get – and stay – HIPAA compliant.

A well-oiled IaaS machine – where servers and prefab packages effectively take the place of IT professionals – should deliver 100 percent uptime.  Basic SLAs should provide, at minimum, “semi-managed services.”  That is, the IaaS provider should manage everything from the hosting environment up to the operating system – including every jot and tiddle concerning client privacy and data security.  Customers can be as involved in the application install and management as they choose to be, or request concierge- level service.  With strict HIPAA compliance as a given, the better providers are as comfortable working with customers who have IT departments as with those who don’t.

In my view, the IT vendor’s proper role is to showcase the powerful economic rationale for those in the healthcare field to get out of the practice of buying/maintaining hardware that is obsolete practically before the paint is dry.  And then to set an example, through practical, customer-centric initiatives designed to simplify the cloud for these organizations – things like “onboarding” services, aimed at eliminating the fear factor (and the “how do we do this?” factor) from the cloud migration process.

The cloud may be easier and more affordable than advertised but it isn’t free.  Still, compute horsepower is finally a virtual – or, perhaps more appropriately, a virtualization — bargain.  Today, it’s entirely possible for a healthcare provider to spend $10K a month and tap enough compute power to drive a 1,000-user organization, even if the office or clinic is just a fraction of that size. That’s less than the cost of hiring a single engineer.

The IaaS model represents the surest way for medical offices of modest size to remain both fully HIPAA compliant and free of IT providers out to sell more than you need.  IaaS is holistic, accommodating growth (and attendant needs for higher performance) while providing users with more than adequate headroom.  That’s especially relevant in an environment as sensitive and highly regulated as HIPAA hosting.

IaaS rejects the notion that the cloud is strictly about hardware.  Instead, the IaaS model is increasingly focused on application delivery.  No matter what application a healthcare organization is using, an experienced IaaS provider should know how to deliver that app.  Every HIPAA hosting plan should be designed to provide what users need, and it should never be necessary to build from scratch. 

In partnership with the right IaaS provider, medical offices should regard HIPAA compliance as a responsibility and an opportunity — not a burden.

Adam Stern is founder and CEO of Infinitely Virtual (www.infinitelyvirtual.com@IV_CloudHosting) in Los Angeles.