Today, telehealth has put the healthcare industry in the position of needing to balance efficiency and quality of remote care with a growing concern for cybersecurity and compliance. Here’s a guide for practitioners to improve HIPAA compliance in a setting that is increasingly dependent on digital technologies.
Telemedicine has received widespread acceptance and adoption over the past few years, primarily as a result of the Covid-19 pandemic. In 2021, more than a quarter of medical specialists used telemedicine for at least half of their patient visits. What’s more, only 15 percent of primary care physicians think telemedicine might not be appropriate for their particular patients.
As a result, medical records and patient meetings have increasingly moved into the cloud, putting those electronic health records (EHRs) at a higher risk of unauthorized access by malicious actors. The increase in HIPAA violations and cybersecurity incidents in the healthcare industry since then shows that companies still have more work ahead to better protect EHRs.
What’s more, ransomware attacks in healthcare nearly doubled from 2022 to 2023, underscoring the growing threat. This threat continues into 2024, with major incidents like the Change Healthcare attack, which continues to cause disruptions and could wind up costing a total of $2.3 billion, and the Ascension attack, which impacted care at over 140 hospitals, further demonstrating the vulnerability of the industry.
On July 11, a bipartisan group of U.S. senators introduced a new healthcare cybersecurity bill to address the growing risks. However, legal experts say that the bill doesn’t offer anything new compared to other initiatives that have previously been proposed or are in progress. Without clear next steps on how to turn around the string of breaches, it will be up to individual chief information security officers (CISOs) and organizations to protect health data and ensure compliance.
Handling HIPAA compliance the wrong way
Let’s go over some of the top HIPAA compliance mistakes that companies make and how to avoid them.
As basic as it may sound, failing to use encryption and multi-factor authentication (MFA) represents a significant vulnerability in HIPAA compliance. Encryption ensures that even if unauthorized individuals access sensitive data, they cannot read it without the decryption key. Meanwhile, MFA adds an extra layer of security by requiring users to provide two or more verification factors to gain access to patient information. Without these critical safeguards, organizations leave themselves exposed to data breaches, risking severe legal and financial repercussions.
Many organizations also fail to rigorously manage third-party vendors, such as billing partners and healthcare software vendors, that may have access to protected health information (PHI). Third-party vendors must adhere to the same HIPAA requirements as the primary organization, and any lapses in their security practices can lead to data breaches. Look for third parties that advertise compliance with HIPAA, SOC 2, or HITRUST. SOC 2 and HITRUST are even more strict than HIPAA when it comes to data protection and cybersecurity.
The next mistake I see companies make is assuming one-and-done compliance audits are enough or conducting audits inconsistently. Compliance is an ongoing process that requires regular audits and consistent enforcement of policies and procedures. Lax enforcement can lead to non-compliance creep, leaving the organization vulnerable to data breaches.
Next, as healthcare increasingly integrates new technologies such as AI and machine learning, some organizations fail to address the associated compliance risks. AI systems require vast amounts of data, raising concerns about how the AI companies are processing, storing, or sharing that data. Without proper safeguards and clear guidelines on AI use, organizations risk violating HIPAA regulations, as AI systems could inadvertently expose sensitive information.
This leads directly to the final major mistake I see some companies make, which is not knowing or monitoring where all their data is. One major factor here is “shadow IT,” in which IT teams and other employees use software and applications that haven’t been officially approved. So if your team is, for instance, using an AI chatbot like ChatGPT to summarize notes, you may not even be aware that your patients’ data is being shared with third parties.
Some ways to combat shadow IT are to educate your employees about the risks and to ensure that you have provided HIPAA-compliant tools so they can complete their tasks without resorting to unapproved software.
The future of HIPAA compliance
While it’s possible that at some point the government could provide more helpful guidance around healthcare cybersecurity, the truth is that companies should really be acting now to prevent data theft and ensure HIPAA compliance. The priority for healthcare entities should be to know the top risks and mistakes that may result in breaches and learn how to avoid them.
By Eva Pittas of Thoropass
