Although IBM’s 2020 Cost of a Data Breach Report found a slight decrease of 1.5% in costs incurred from data breaches, they also found that data breaches in the healthcare industry increased by 10.5%. Health Insurance Portability and Accountability Act (HIPAA) penalties for allowing Personal Identifiable Information (PII) data to be breached can range from $100 to $50,000 per user record. How much the penalty is depends on the level of negligence found on the part of the healthcare provider.
HIPAA was designed to lay out how PII data should be maintained and protected across the healthcare industry. Though it is painfully clear that patient personal information must be protected and that any sort of exposure of that information must be immediately reported, there are no exact guidelines on what sort of protections must be put into place in order to protect healthcare systems from cyber security attacks. This is to a certain extent intentional since healthcare providers can range from small private practices to large interconnected providers that can include entire hospital networks. The size of the organization can often determine the level of technological complexity or maturity they are capable of.
So the quick answer to our query, “Does Following HIPAA Regulations Protect Against Cyberattacks?” is “no”. There are no specifications within the HIPAA requirements that would give you guidance as to how to prevent cyberattacks.
Instead HIPAA refers healthcare technologists to the best practices and recommendations made by other government entities such as National Institute of Standards and Technology (NIST). So now in order to make sure your healthcare organization is compliant and safe you need to study both HIPAA regulations as well as the NIST recommendations. This can be incredibly overwhelming if you are just trying to figure out what is the best way to prevent common cybersecurity attacks like brute force attacks. And since the IBM 2020 Cost of a Data Breach report also found that attacks that used compromised credentials were the costliest types of breaches for healthcare, putting a little effort into trying and preventing these types of breaches can be invaluable.
So what is the best way for healthcare organizations to prevent cyberattacks like brute force attacks?
Follow the NIST guidelines:
- Require password length be at minimum 8 characters: NIST states that even longer passwords (up to 64 characters) should be required for more sensitive data.
- Do not provide the ability to use password hints: password hints can provide bad actors with information they can use to guess the correct password. Instead provide users with a secure means with which to reset their passwords in case they forget them.
- Use passphrases: In the past it was recommended to use highly complicated passwords such as ones that random password generators might create. These types of passwords cause users to use unsecure means to store their passwords because they can’t remember them. Picture post-it notes stuck under keyboards. Passphrases should be unique but easy for a user to remember like a line from a song or poem with some numbers or special characters mixed in.
- Prevent users from using breached passwords: NIST suggests that passwords should be compared to a list of common passwords like “password” or “123456789”. Ideally passwords should be compared against a list of already compromised credentials in order to prevent common password cyberattacks.
Identity and Access Management (IAM) providers like OneLogin can provide the means to control healthcare users’ credentials and follow the NIST guidelines across all the applications they need to use as part of their job. As a single sign-on platform all user logins are controlled through a central interface. From there, user security policies can be set to control both the length and complexity of users’ passwords. Through built-in basic password blacklisting you can prevent users from using the most commonly known passwords out there and through add on such as OneLogin’s SmartFactor Authentication™ you can enable compromised credential checking to prevent users from using credentials that have been breached on other systems. And finally, users can easily reset their own passwords through secure means instead of relying on password hints.
So even though HIPAA regulations themselves do not give exact guidelines on how to prevent cyberattacks they do require healthcare technologists to prevent exposing PII data to theft and fraud. Implementing a few simple policies related to how users’ passwords are set and the passwords they can use can prevent a significant number of healthcare data breaches in the future.