While healthcare hasn’t been the fastest industry to digitize, both industry competition and legislature have sparked the beginnings of digital transformation in the healthcare space. The 2016 21st Century Cures Act, for example, has made online portals, electronic billing, and digital record-keeping a norm in healthcare.
While this digitization positively impacts many patients’ access to their healthcare information, it has also created new risks. The influx of personally identifiable information becoming available electronically has made the healthcare industry a top target for hackers: one-third of all data breaches target healthcare organizations. As healthcare organizations adopt digital and cloud-based technology, they must also adopt modern, cloud-based security to protect it.
While healthcare companies and other organizations that work with patient data are required to comply with HIPAA, HIPAA compliance should be treated as more than just a checkbox. HIPAA can be a guiding light for not just compliance, but also security in an increasingly digital and vulnerable environment. In this blog, we’ll cover the basics of HIPAA, some of the most effective HIPAA-aligned security controls, and how a cloud directory can help with HIPAA IT compliance.
The Basics of HIPAA
HIPAA, which stands for the Health Insurance Portability and Accountability Act, was enacted in 1996 to protect patient information and privacy. In general, U.S. healthcare providers, health plans, and healthcare clearinghouses are required to comply with HIPAA.
HIPAA in its entirety is fairly vast — we’ll start with the basics here, and if you’d like to go more in-depth, check out the official HIPAA documentation and JumpCloud’s IT Compliance Quickstart Guide.
HIPAA standards fall under two main categories, or rules: the Privacy Rule and the Security Rule.
The HIPAA Privacy Rule covers patient information protection. More specifically, it governs how protected health information (PHI) is used and shared, and requires patients to have knowledge of and autonomy over their shared PHI.
The HIPAA Security Rule covers the security of electronic health information. This is becoming increasingly important as healthcare organizations undergo digital transformation.
HIPAA Security Rule is broken down into three areas of focus. Most of an IT admin’s concern with IT compliance will be focused here.
- Administrative Safeguards – this part of the Security Rule is to assign ownership and to create the infrastructure of solid security practices that will help to support HIPAA compliance.
- Physical Safeguards – access to the IT systems and the data needs to be closely guarded for the cases of malicious intrusion, but also for disaster.
- Technical Safeguards – this area focuses on the implementation of controls for access to systems, applications, and data as well as the security of those IT resources and electronic PHI.
Learn more about these three areas of focus in our blog: The Three Components of the HIPAA Security Rule.
Helpful Controls for HIPAA IT Compliance
Like many compliance regulations, HIPAA does not define solutions or specific approaches, but instead focus on outcomes. It’s up to each organization to translate this guidance into action. While HIPAA compliance may look different from organization to organization, the following are common controls that significantly bolster a company’s ability to achieve HIPAA compliance in a digital/cloud environment.
Identity and Access Management
Identity and access management (IAM) is one of the most critical solutions to HIPAA IT compliance. This is because much of HIPAA hinges on secure and controlled access to PHI. In digital environments, the most reliable way to securely assign and manage appropriate access to resources is through the identity.
This is because identity has replaced the idea of a physical perimeter. A central, physical network or perimeter is no longer the access point for most resources; instead, access happens at the identity-level: users authenticate themselves (e.g., by inputting credentials) to access resources. As access points shift from the perimeter to the identity, security must follow suit.
This identity-centric approach forms the foundation of Zero Trust security. Thus, IAM is one of the pillars of Zero Trust security — and it’s commonly the first ones that organizations implement when adopting a Zero Trust security model. This is because IAM forms the core of identity-centric security, and it forms a strong foundation for securing other elements in the organization, like devices, networks, workloads, and more.
In terms of HIPAA, IAM enables you to control users’ access to different resources, enabling you to restrict PHI to only those allowed to access it in accordance with the regulation. This access can be automatically granted or denied based on a user’s permissions, and some IAM tools can be highly customized to the organization’s unique needs. Admins can use user groups, conditional access policies, automatic provisioning, and other features to further secure and streamline their IAM processes.
From employee laptops to patient check-in tablets, the devices in the average healthcare organization are diversifying. While identities are the main access point for organizational resources, the devices people use to access PHI can have a significant impact on security and HIPAA compliance. For example, a user may access PHI through their trusted identity, but if they do so from a compromised device, the PHI could still be at risk. Thus, it’s critical for HIPAA-bound organizations to control the devices accessing their resources — especially PHI.
Effective device management must center around access: which devices are accessing organizational data? This stands in contrast to outdated models that only protected company owned and issued devices: organizations can no longer trust that devices are safe by only focusing on the ones they own. Healthcare organizations should have a mobile device manager (MDM) that can handle all the devices accessing organizational data — not just those owned by the organization.
Some solutions take MDM a step further by combining it with identity management. This unified approach provides additional context to access security, which gives organizations more control over their HIPAA compliance.
Because secure access is such a critical element of security and HIPAA compliance, multi-factor authentication (MFA) is a highly effective HIPAA control. It dramatically increases access security by requiring a second factor in addition to the traditional username and password, like a time-based one-time password (TOTP), push notification, or biometric.
MFA is easy to implement and manage, and with the right tools, it can also be highly cost-effective. JumpCloud, for example, offers it at no additional cost with any plan (including JumpCloud Free).
MFA can help you comply with many other regulations in addition to HIPAA. Some frameworks, like SOC 2, require MFA explicitly. Others require a means of secure authentication without specifying the how; MFA is one of the quickest and easiest ways to fulfill this requirement.
Single sign-on (SSO) is another highly effective and easy-to-implement control that plays a large role in HIPAA compliance and healthcare security. SSO helps maintain a strict structure of one identity per user, which is critical to identity security.
In addition, SSO secures digital environments and promotes HIPAA compliance by:
- Maintaining access permissions. Access is controlled and based on the permissions assigned to each secure identity.
- Reducing the risks associated with memorizing passwords. Users today have about 100 passwords each. If they’re required to memorize them and input them manually, odds are, they’re reusing them, making them too easy to remember (and guess), writing them down, or using other workarounds to keep track of them all. Enabling users to log in securely with only one set of credentials drastically reduces the risk of unsafe password practices.
- Preventing shadow IT. Without unified account management and visibility, shadow IT can — and will — crop up and multiply. Shadow IT can be detrimental to both security and compliance. Because it is unmanaged and often unseen, IT cannot ensure it complies with regulations or security best practices. SSO keeps accounts and their activity within view and control of the IT team.
Full Disk Encryption
HIPAA Security Rule §164.312(a)(2)(iv) states that organizations must “implement a mechanism to encrypt and decrypt electronic protected health information.” Enforcing full disk encryption (FDE) across laptops and other systems is highly impactful for HIPAA compliance. With FDE, a computer’s hard drive is locked down when that computer is at rest, making it virtually inaccessible in case of theft.
To enable FDE, you’ll need a tool that can do so for all systems; many tools on the market offer FDE for only one OS. In addition, look for a tool that can securely escrow recovery keys (ideally individual recovery keys for increased security). If a user forgets their password or it expires, the recovery key will allow you to decrypt the drive.
JumpCloud policies allow IT admins to implement an FDE policy, which is capable of enabling FileVault and/or Bitlocker in just a few clicks. It can also escrow recovery keys. Learn more about JumpCloud FDE.
HIPAA Compliance with a Cloud Directory
Cloud directories can synthesize the controls above to offer one unified platform where you can control your entire IT environment. The right cloud directory should provide you the robust telemetry and manipulable controls you need to closely manage your security and HIPAA compliance.
JumpCloud’s cloud directory platform, for example, offers robust and user-friendly control over IT resource access through unified identity and device management. It maintains one secure identity per user, and connects that identity securely to all the devices and tools each employee needs to work. In doing so, it maintains the same permissions and policies for each user identity, regardless of how they work or which resources they access.
Further, JumpCloud offers MFA, SSO, FDE, and OS-agnostic MDM capabilities, allowing you to implement some of the most important elements of HIPAA compliance, all with one platform. And as an open directory platform, JumpCloud allows you to work the way that works best for your organization (without hurting your security or compliance). It can act as your identity provider, for example, or work with the one you already have, so you don’t have to rip and replace to start reaping its benefits. Learn more about how JumpCloud supports IT compliance.
Making IT Compliance Painless
Compliance may not be fun, but it doesn’t have to be a headache, either. JumpCloud’s IT Compliance Quickstart Guide was designed to help IT admins navigate compliance with HIPAA and many other regulations. It even offers a free hands-on demo that helps you implement some of these critical IT compliance controls in your own environment. Get started with the IT Compliance Quickstart Guide now.