Protecting Patients’ Data Beyond HIPAA Requirements

In October of last year, our CMO Luke posted about his frustrations that his six year old’s health information may have been compromised as part of an account takeover at a health care provider. He’s not alone. As of November 2024, the healthcare sector reported 667 data breaches impacting 180 million individuals. Folks are starting to pay attention to this growing problem. In response, the Office of Civil Rights (OCR) of the U.S. Department of Health and Human Services (HHS) has proposed significant amendments to the Health Insurance Portability and Accountability Act (HIPAA) Security Rule. These proposed changes aim to enhance the protection of electronic protected health information (ePHI) by introducing stricter cybersecurity measures.

We’re thrilled to see some much-needed improvements proposed to the regulations, and sincerely hope that organizations take them into account regardless of whether they’re actually accepted and published. 

The proposed amendments are a step in the right direction but these changes still don’t go far enough to produce meaningful improvements to the safety of patient data–and in some cases they focus on the wrong things entirely. 

Highlights of the proposed amendments

The proposed modifications to the HIPAA Security Rule include several key requirements that are simply sound security fundamentals, and regardless of whether these proposals are codified within HIPAA, healthcare organizations should strongly consider them.

• Multi-Factor Authentication (MFA): Access to systems containing ePHI should require MFA, adding an extra layer of security to prevent unauthorized access. In 2024, MFA is a must for any organization: credentials can be compromised too easily and in too many ways to rely on a single factor. MFA isn’t perfect, but it is absolutely table stakes at this point.
• Enhanced Risk Analysis: Covered entities and business associates would be required to conduct more comprehensive risk analyses, including a detailed assessment of potential threats and vulnerabilities to EHI. Understanding the risk within your environment is critical to building an effective data security program: without it, effective prioritization is impossible, and security planning is effectively built on guesswork.
• Stricter Requirements for Business Partners: Third parties working with ePHI will have additional accountability and be held to the same standards as the entities covered under HIPAA, including certain mandatory security measures, enhanced audit and oversight. Again: a common-sense, solid idea. The security of any data is dictated by the weakest link in the chain of custody: failing to hold business partners to the same standards will simply shift the focus of attackers, not actually improve security.

Additionally, there are several solid recommendations around stricter overall cybersecurity requirements, updated security practices, notification requirements, and more.

Missing the mark on protecting data at rest

For all the good recommendations within the proposed changes, there are a few areas that gave us pause. Perhaps the most glaring was changing the encryption of ePHI from an “addressable standard” (i.e., something that each organization should decide on a case-by-case basis) to a requirement.

There is absolutely nothing wrong with encrypting data at rest. In general, it’s a great idea. But in practice, it does very little to actually protect data–particularly data stored in the cloud. We’re not telling anyone not to encrypt sensitive data. It’s never a bad idea. But unless you’re only worried about someone sneaking into a Microsoft datacenter in the middle of the night and stealing hard drives, it’s not sufficient.

The goal of encrypting data is to prevent unauthorized access to the information. Simply encrypting the data only protects against certain threats and attack vectors, but does nothing against the most common attack types in today’s threat landscape.

Account takeover attacks are among the biggest threats facing healthcare organizations (and everyone else, for that matter). And in the event of a compromised account, the access will appear legitimate–to the system’s security, it will appear that it’s simply a doctor or nurse or healthcare admin accessing the information. 

Modern protection for sensitive and regulated data

Material Security offers a robust suite of tools designed to safeguard sensitive data within cloud email and productivity suites, making us an ideal partner for healthcare organizations.

Material Security provides intuitive capabilities to discover and protect sensitive content within email and file-sharing platforms. Our modern approach to data loss prevention (DLP) keeps sensitive data safe even in the event of a breached account, without disrupting operations or productivity.

Our API-based integration with Google Workspace and Microsoft 365, Material Security applies access controls directly to message objects that warrant protection. We automatically detect, classify, and secure sensitive data (including a range of ePHI) out of the box, and make it easy to create custom detection categories. Sensitive data in the inbox is secured behind an MFA prompt–meaning legitimate users can access it within seconds, but attackers are locked out.

With advanced AI-driven threat detection and real-time, automated response capabilities, Material Security ensures organizations remain secure against sophisticated phishing attacks and potential data breaches, and can detect and alert on subtle signs of account breach and takeover–helping security teams stop attacks and contain damage.

Our solutions are designed to help organizations meet stringent regulatory requirements, providing peace of mind and ensuring that sensitive data remains protected against emerging threats. This includes robust audit logs showing when all sensitive data was accessed, and by whom.

Real-world solutions for protecting sensitive patient data

So what do the proposed changes mean for today’s healthcare organizations? Realistically: probably nothing. These sorts of recommendations are often position statements for outgoing administrations more than anything else, and the likelihood these will be accepted are low. 

That said, they shouldn’t be ignored. The majority of the topics covered in the proposed amendments are very good ideas–and as discussed above, an organization responsible for sensitive data in 2024 that is lacking some of the proposed requirements is frankly worrying. Healthcare organizations must proactively assess their current cybersecurity frameworks and invest in effective solutions to not only comply with regulatory requirements, but to stay ahead of the ever-evolving threats that are increasingly targeting healthcare organizations.

Contact Material Security today to find out how we help healthcare organizations protect their patients’ data and stay ahead of compliance requirements.