By Gregory Hoffer, CEO, Coviant Software
Everyone knows someone who is a vintage car nut. They keep their baby in the garage during inclement weather and roll it out on sunny days to take it for a spin and show it off. When that car isn’t on the road, the hood is up and your friend (or maybe it’s an uncle, neighbor, or someone you only recognize by the car itself) is in greasy jeans and t-shirt, bent over the fender with a wrench in hand, tinkering with something on the engine block to make sure that during the next drive to town she’s purring like a kitten.
Yes, you’re proud of your new vehicle. Maybe it’s a plug-in EV, or an SUV with a high-tech dashboard. It might be a fast sports car with a mean profile, or a roomy sedan that gets you where you want to go in comfort and style. But secretly you envy that person and their classic Detroit muscle. The sound and look are inimitable, but you also envy the skill it takes to keep a classic running decades after it rolled off the production line. And despite the old car’s lack of fancy amenities, it performs the same essential function as the newest model (only cooler).
New Models vs. the Old Classic
It’s not much different with information security and privacy regulations. With a regular cadence, governments around the globe pass new laws aimed at protecting the sanctity of sensitive personal data. Here in the U.S. several new state laws, modeled after the European Union’s General Data Privacy Regulation (GDPR), take effect in 2023. Overseas new regulations include the Digital Operations Resilience Act (DORA); since 2021 the People’s Republic of China has adopted the Personal Information Protection Law (PIPL), Cybersecurity Law (CSL), and the Outbound Data Transfer Security Assessment; following its exit from the European Union in 2020 the United Kingdom has adapted its 2018 Data Protection Act (DPA) to conform with GDPR; efforts are underway in Canada to update the Personal Information Protection and Electronic Documents Act (PIPEDA); the latest evolution of Japan’s Act on the Protection of Personal Information (APPI) went into effect in 2022; and the beat goes on.
But while all these souped-up, modern acronyms hit the market causing chief compliance, privacy, and information security officers pant with longing, there’s a classic regulation that continues to run, chrome bumpers glinting in the sunlight: the Health Insurance Portability and Accountability Act (HIPAA).
The Standard for a Quarter Century
HIPAA wasn’t the first data privacy regulation to be enacted by a government, but when the law first hit the streets in 1996, it was like going from cars that were stodgy and boxy to the tailfin era. It was bold and brash; everyone took notice. And just as tailfins reflected the dawning of the Space Age, HIPAA reflected the needs of the Digital Age and a need to protect sensitive health data as it evolved to become digital. In 2009 HIPAA got a redesign following a federal mandate under the Affordable Care Act to accelerate the adoption of digital health records. That is when the Health Information Technology for Economic and Clinical Health Act (HITECH) went into effect, strengthening existing law and becoming HIPAA-HITECH (still most commonly referred to as simply HIPAA).
HIPAA remains one of the most recognizable data protection regulations, in part because it has been around for more than a quarter century, but also because it is easy to grasp the importance of keeping personal—and often sensitive—health data private. You don’t have to be a lawyer to understand that a careless misstep in handling medical records could be harmful to a patient. And, despite the proliferation of data protection regulations that has occurred during the quarter century since HIPAA was passed, properly managing and securing protected health information (PHI) remains one of the most daunting tasks in compliance.
Managing PHI Safely is a Huge Task
One of the challenges associated with handling medical data in accordance with HIPAA security requirements is that PHI can come in many different forms. In our experience we work with several major healthcare organizations, each with vastly different needs. Some examples include:
A top ten managed care service provider: nearly a quarter million files
A major Southeastern healthcare network: tens of thousands of files
A large East Coast hospital: tens of thousands of files
A regional medical imaging services company: hundreds of files
There may be hundreds of different external destinations for this data that must be coordinated and executed each day: insurance companies, primary care physicians, complementary medical service providers, lawyers, government agencies, employers, and more. It’s a lot to do—far too much for people to do without technical support, including automation—and any mistake could result in PHI being exposed and compromised, triggering a potential HIPAA violation.
Four Key Steps to HIPAA Compliance
Despite all the complexities involved for organizations that handle PHI and must follow HIPAA, according to the U.S. Department of Health and Human Services, which is the agency charged with enforcing the law, there are four steps for organizations to come into compliance:
- Ensure the confidentiality, integrity, and availability of all e-PHI they create, receive, maintain or transmit;
- Identify and protect against reasonably anticipated threats to the security or integrity of the information;
- Protect against reasonably anticipated, impermissible uses or disclosures; and,
- Ensure compliance by their workforce.
The Right Tools Keep a Compliance Engine Tuned
We have been able to help organizations manage the chaos and support their compliance programs under HIPAA and other regulations by addressing each of these points with one simple tool. That is a secure managed file transfer (MFT) platform that:
- Automates file encryption using OpenPGP and operating on encrypted channels using the SFTP and other secure transport protocols;
- Deploys behind the firewall and with an edge gateway in the network DMZ to ensure no user data, authentication data, or encryption keys are ever stored in the DMZ, keeping services and data safe from reasonably anticipated security threats;
- Keeps access restricted only to authenticated users, and with support for multifactor authentication; and,
- Offers no-code simple installation, configuration, and operations, with all aspects of the data transfer process fully automated to minimize the risk of human error and to make workforce compliance easy.
What’s more, all operational records are retained for complete auditability. Without auditability, it is difficult to provide documentation necessary to prove compliance.
No technology on its own can bring an organization’s information security and data privacy programs into compliance with HIPAA or any other regulation, but choosing the right solutions does matter when building such programs. And as with maintaining a classic automobile, the right tools matter when it comes time for a tune-up to keep your HIPAA compliance program running like a well-oiled machine.
About the Author
Gregory Hoffer is CEO of San Antonio-based Coviant Software, maker of the secure, managed file transfer platform Diplomat MFT. Greg’s career spans more than two decades of successful organizational leadership and award-winning product development. He was instrumental in establishing ground-breaking technology partnerships that helped accomplish Federal Information Processing Standards (FIPS), the DMZ Gateway, OpenPGP, and other features essential for protecting large files and data in transit.