How to Build a HIPAA Compliant Network

With the appropriate controls and strategy, any network can meet the rigors of HIPAA and HITECH compliance.

Network technology is shaping the healthcare industry, enabling doctors and nurses to provide faster, more personalized care at lower costs.

While technology has helped improve healthcare outcomes, they can also make achieving compliance with the Healthcare Insurance Portability and Accountability Act (HIPAA) and its sister regulation, the Health Information Technology for Economic and Clinical Health (HITECH) act hard to achieve.

How do you build a network that safeguards electronic protected health information (ePHI), without harming efficiency and productivity? HIPAA is frustratingly open to interpretation, so we’ve compiled this concise overview to keeping your network compliant.

Start with the Right Compliance Controls for Your Need

HIPAA outlines a series of control that healthcare providers must use to secure their technology. While there’s a great deal of freedom as to how to most “appropriately” deploy each of these controls, a secure network must have the following features to avoid a HIPAA compliance violation.

Authentication and Access Controls
Access controls ensure that only users with the proper privileges can view and manipulate ePHI. At the most basic level, this involves designating each user with a unique system ID and password. However, to ensure strong compliance and security you’ll need to go beyond those basic protections, which includes:

• Develop a policy that requires strong and complex passwords
• Deploy multi-factor authentication on ePHI containing systems
• Ensure idly users are automatically logged-out of important systems
• Develop emergency access procedures to control access

Properly Configured Firewalls and VPNs
Network and software firewalls are your first line of defense against intrusion, which makes them an important part of any regulatory compliance program. Despite their critical function, mismanagement of firewalls is a chronic condition. Research from Security Metrics shows that 76% of organizations that experienced a data breach had an incorrectly configured firewall, for example.

To ensure your firewalls are up to the challenge of HIPAA, here are best practices to consider:

• Configure outbound Internet traffic with updated whitelists and blacklists
• Properly log all firewall traffic for compliance with HIPAA Security Rule 164.312(b)
• Deny Internet access to servers that contain ePHI and financial information
• Monitor network traffic and update setting to grant legitimate traffic network access

Did you know that ransomware is a root cause in over 54% of security and compliance breaches in the healthcare industry?

Reliable and Repeatable Audit Controls
Your technology should always be ready for a HIPAA audit. Achieving this readiness involves having controls in place so that when auditors — or internal compliance team — want to take stock of your compliance posture, they have the log files and other data to do so efficiently.

The audit controls recommended by the HIPAA are described in three categories, application audit trails, users audit trails, and system audit trails. You’ll need address all three in your compliance program.

• System level audit trails capture details about who is accessing your network and how long they have access
• Application audit trails demonstrate the confidentiality and integrity of information as it travels through electronic health records (EHR) systems and other software that contains ePHI
• User audit trails track the actions that users take when using your software, such as record access, ePHI alterations, deletions, and more

Strong Encryption
All ePHI that is transmitted across your network, including through email, text message, collaboration platforms, and messaging apps must be encrypted, preferably with an industry-accepted technology like advanced encryption standard (AES).

While many of today’s popular collaboration platforms incorporate encryption be default, you should work to ensure that ePHI and other sensitive data is encrypted from end to end, meaning that only the sender and receiver can view the data. You’ll also need to make the important distinction between data at rest and data in motion, so that ePHI archives receive the proper protection.

Physical Security Protections
Physical security under HIPAA means making sure that unauthorized users are never able to physically compromise ePHI containing systems. In today’s modern network environment, where the network perimeter has continued to push outward, that means careful attention to all network endpoints.

• Maintain a list of all mobile devices containing ePHI, including tablets and cell phones.
• Deploy biometric controls and cameras to keep sever rooms and sensitive areas secure
• Ensure computer monitors that display ePHI aren’t viewable by non-authorized users

Obviously, this is just an overview of the controls you’ll need to enforce for HIPAA compliance. If you’d like to talk about the controls listed above in greater depth, or determine how they apply to your organization, the Complete Network team is ready to help, click here to book a call with our team.

Enforce HIPAA Compliance Controls Across Your Entire Network

As with any regulatory compliance program, you must remain vigilant with HIPAA and HITECH to ensure success. One common stumbling block is failing to account for all the components and systems that can lead to a compliance slip. Here are a few areas that organizations sometimes overlook.

Business Associates
To develop strong overall HIPAA compliance, you must be certain that all business associates who touch upon ePHI are doing so responsibly. Any business associate, including medical billing firms, accounting services, and IT vendors must have a written agreement in place that lays out their obligations in detail.

Secure Wireless Networks
Mobile healthcare professionals are dependent on WiFi signals and wireless LANs to access and share the patient information they need. However, this category of network is a well-known compliance liability.

To secure a wireless LAN, you should start by making sure that your existing security software is properly configured to detect threats, such as data interception and packet sniffing, which typically affect these networks.

For healthcare organizations that provide public WiFi access to visitors, you may want to separate your public and private WiFi networks, so that guests are kept safely away from vulnerable network hardware or ePHI.

Want to learn more? We’ve written a comprehensive guide to HIPAA compliance here.

Complete Network – 20 Years of HIPAA Consulting Experience

The most reliable way to achieve and stay compliant is to enlist the help of an experience partner, like Complete Network. For decades, we’ve been helping healthcare companies implement the technical, administrative, and physical safeguards to stay confident about their HIPAA and HITECH posture.

Want to ask our HIPAA team a question? We’d love to help! Contact us any time at 877-877-1840 or [email protected].