Policy One: Medical Records and the people that want them
If your business is operating a medical clinic, or you do business with the any entity in the medical community, this means you have privileged information. Medical information is particularly valuable because not only do you have the full background of the individual available to you, but also in many cases you have family history. Family history is a huge boom to any attacker. With family history now not only can the attacker use the identity to do as they please, they can also use social engineering to commit more nefarious acts as they have a foothold into the life of the people behind the data. Social engineering would encompass something along the lines of calling a utility or service provider knowing just enough about that person to be able to answer security questions. All this can be achieved by a targeted attack that involves data exfiltration.
There are regulations in place to deal with the security of medical data. Otherwise known as HIPAA – Health Insurance Portability and Accountability Act. At its core these are a set of rules that protect the privacy and security of health information as well providing individuals with certain right giving them dominion over that information. The Act is lengthy, so I will break it down in three parts:
A) Privacy Rule
B) Security Rule
C) Breach Notification Rule
A) Privacy Rule – This protects protected health information or transmitted by a covered entity or its business associate, in any form. It is defined as information that relates to all of the following:
1) Individual’s past, present, or future physical or mental health or condition
2) The provision of health care to the individual
3) Past, present, or future payment for the provision of health care.
Protected health information includes common identifiers such as name, address, birth date, and Social Security number.
B) Security Rule – Covered entities and business associates need to develop and implement reasonable and appropriate security measures through policies and procedures to protect the security of protected health information they create, receive, maintain, or transmit. Each entity must analyze the risks to the information in its environment and create solutions appropriate for the situation. Each entity that has this information is responsible for their own security preparations.
C) Notification Rule – Simply put, the rule requires covered entities to notify individually affected by a data breach. The impermissible use or disclosure of protected health information is presumed to be a breach unless you the humble business owner can demonstrate there is a low probability the protected health information has been compromised based on a risk assessment of at least the following factors:
1) The nature and the extent of the protected health information involved including identifiers.
2) The unauthorized person who used the protected health information.
3) The extent to which the risk to the protected health information has been mitigated
Covered Entity or Who am I?
Any provider of medical or other health care services or supplies who transmits any health information in electronic form in connection with a transaction for which the Department of Health and Human Services has adopted a standard, such as:
· Nursing homes
Any individual or group plan that provides or pays the cost of health care, such as:
· Company health plans
· Government programs that pay for health care, such as Medicare, Medicaid, and the military and veterans’ health care programs
· Health insurance companies
· Health maintenance organizations
A public or private entity that processes another entity’s health care transactions from a standard format to a non-standard format, or vice versa, such as:
· Billing services
· Community health management
· information systems
· Repricing companies
· Value-added networks
A business associate is a person or organization, other than a workforce member of a covered entity, that performs certain functions on behalf of, or provides certain services to, a covered entity that involve access to protected health information. A business associate can also be a subcontractor responsible for creating, receiving, maintaining, or transmitting protected health information on behalf of another business associate. Business associates provide services to covered entities that include:
· Claims processing
· Data analysis
· Financial services
· Legal services
· Management administration
· Utilization review
As you can tell, the above is vast in what it can cover. All you need though is one very informed data breach victim who is aware of these regulations to make your life impossible. Diligence is important for your protection as well as that of your customers. By hosting and working with CyberCrypto your data is not only protected but the worry of exfiltration or an attack is minimized because we act as your sentinel.