HIPAA Security Rule - What It Means and What to Do?

The US government has started to crack down on health care providers who have failed to implement controls required by the HIPAA Security Rule. The fines alone can be millions of dollars and resulting security breaches can expose organizations to substantial civil liability, loss of reputation, higher credit card processing margins, substantial penalties (even personal criminal and civil liability).

Overview of the HIPAA Security Rule and SSH Keys

The Health Insurance Portability and Accountability Act (HIPAA), was enacted by the United States Congress and signed by President Bill Clinton in 1996. The major objectives of the law were to:

  1. Ensure that individuals were able to maintain health insurance between jobs.
  2. Ensure the security and confidentiality of patient information/data.

HIPAA Security Rule establishes a national set of security standards for protecting health information in electronic form. The standards operationalize the protections contained in the Privacy Rule by addressing the technical and non-technical safeguards that covered entities must put in place to secure individuals’ Electronic Protected Health Information (ePHI).

Protecting ePHI starts from controlling who is able to access that data. This requires identity and access management, including management of SSH keys. SSH keys often grant access to privileged accounts and databases. In many organizations their number far surpasses traditional user names and passwords.

SSH in Healthcare IT

Large-scale health care environments employ considerable numbers of servers, routers, switches, database and application servers, and other networked systems. These systems are maintained and administered with the SSH protocol that provides secure administrative login, application tunneling, and secure file transfer. The SSH protocol is a standard component of every server and networked device. All UNIX, Linux, Mac, and mainframe systems include SSH. It is also widely used on Windows computers and servers. In 2015, Microsoft announced plans to make it a standard component of Windows.

Enforcement of the Security Rule

Organizations across all industries, independent of what regulations and standards they must comply with, are faced with the ongoing challenge of ensuring authorized and trusted access to protected health information. The security rule, enforced by the Office for Civil Rights (OCR) and Health and Human Services (HHS), is leading the pack in that realm as far as audit activities within the health industry.

SSH Communication Security solutions enable the key controls required to ensure logical access, privileged access, and third party access are effective. These controls are a major component of HIPAA Security Rule and the HHS/OCR audit guidance issued earlier in 2016.

Compliance In the Spotlight

With the ongoing audits conducted by HHS/OCR under the HIPAA security rules, organizations are scrambling to ensure ongoing compliance. As with any government audit, the outcome of non-compliance comes with a hefty price.

The OCR is working on selecting approximately 350 covered entities, including 232 health care providers, 109 health plans and 9 health care clearinghouses, for Phase 2 Audits. OCR’s ambitious plan appears to include more organizations and audit each one less. This would appear to be in favor of the auditees, but may turn out the opposite since each audit will focus on prior audit phase findings. The audit criteria will include:

  • Risk analysis and risk management
  • Content and timeliness of breach notifications
  • Notice of privacy practices
  • Individual access
  • Privacy Standards’ reasonable safeguards requirement
  • Training to policies and procedures
  • Device and media controls
  • Transmission security.

Additionally, healthcare industry security breach and ransomware incidents continue to flood the news. A recent story for a hospital in Kentucky that had its records scrambled by ransomware. These attacks aim purely to financial gain. Victim organizations have been paying the demanded ransom in order to get back into normal operations.

Ramifications of Non-compliance

Health organizations which have experienced a breach or had a non-compliance violation resulting from an audit, face a long way to recovery. The table below highlights the types of violations and associated penalties:

ViolationMinimum PenaltyMaximum Penalty
Individual did not know (and by exercising reasonable diligence would not have known) that he/she violated HIPAA$100 per violation, with an annual maximum of $25,000 for repeat violations (Note: maximum that can be imposed by State Attorneys General regardless of the type of violation)$50,000 per violation, with an annual maximum of $1.5 million
violation due to reasonable cause and not due to willful neglect$1,000 per violation, with an annual maximum of $100,000 for repeat violations$50,000 per violation, with an annual maximum of $1.5 million
violation due to willful neglect but violation is corrected within the required time period$10,000 per violation, with an annual maximum of $250,000 for repeat violations$50,000 per violation, with an annual maximum of $1.5 million
violation is due to willful neglect and is not corrected$50,000 per violation, with an annual maximum of $1.5 million$50,000 per violation, with an annual maximum of $1.5 million

Additionally, organizations experiencing a breach of 500 records or more are listed on the HHS/OCR breach portal. This site is also known as the Wall of Shame.

HIPAA Regulations and SSH Mapping Guidance

HIPAA requires organizations implement policies and procedures to prevent, detect, contain, and correct security violations. SSH communication solutions help identify all the components’ activities including all the hardware and software that used to collect, store, and process ePHI. In this process, a scan of SSH authorized keys can also be proceeded to confirm deployment.

Implementing proper policies for defining roles and granting access is critical for compliance with the law. All methods must be considered, including those using key-based credentials.

The following table highlights the key requirements of the HIPAA Security Rule and how we can help pave the way to compliance.

RegulationMapping to SSH Solution
Workforce Security (§ 164.308(a)(3)): Implement policies and procedures to ensure that all members of its workforce have appropriate access to electronic protected health information.The requirement of segregation of duties applies to any kind of access, including access using SSH keys. We frequently see key-based access from test and development systems into production, which violates segregation of duties.
Information Access Management (§ 164.308(a)(4)): Implement policies and procedures for authorizing access to electronic protected health information.Implement identity and access management. Assess and manage SSH key based access. Ensure that tunneled access from the public Internet to intranet is not possible.
Access Control (§ 164.312(a)(1)): Implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights.Universal SSH Key Manager and CryptoAuditor Care critical components of your access controls. Adopting best practices and employing leading implementations provide you with complete control as well as a view into the access management in your production environment.
Audit Controls (§ 164.312(b)): Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information.Hardened SSH key deployments with best practice configurations for your defined scope of ePHI environments will support the desired access controls required to comply with this requirement.
Transmission Security (§ 164.312(e)(1)): Implement technical security measures to guard against unauthorized access to electronic protected health information that is being transmitted over an electronic communications network.The SSH protocol 1) encrypts traffic between two end points, providing confidentiality and integrity in transit; 2) secures the transmission of files with SFTP; and 3) prevents man-in-the-middle attacks.

What Should Healthcare Organizations Do?

Assess your HIPAA compliance program. Does it sufficiently address SSH and SSH keys? Be ready for when the OCR comes knocking. Make sure to implement security measures beyond what the law states since ePHI has become the hottest item in cybercrime.

Boost staff members security awareness to prevent and detect breaches. Invest in security tools that help you reduce and even eliminate the risk of ePHI being compromised.

Expand your compliance program to include on-premise networks, off-shore systems, mobile devices, and ]cloud installations](/devops/).