How TalonWork solves HIPAA compliance issues

by Talon Research
April 28th, 2022

Introduction 

The healthcare system is one of the most sensitive sectors exposed to privacy risk. It was involved in about 15% of all 2019 data breaches when estimated industry losses reached $25 billion. To prevent breaches, 81% of US healthcare entities already increased their security spending in 2017, with the related cybersecurity market anticipated to be worth $10.85 billion by 2022.  

General Statistics 

  • 25% year-over-year increase in breaches 
  • In March 2022, 43 healthcare data breaches of 500+ records were reported 
  • Healthcare data breaches hit an all-time high in 2021, impacting 45M people 
  • 2021 saw record numbers of DDoS attacks on the healthcare industry 
  • For each data breach, healthcare organizations average $3.7 million in lost revenue 
  • At $380 per record, a healthcare data breach costs more than 2.5 times the global average for all industries 

What are HIPAA regulations? 

The Health Insurance Portability and Accountability Act (HIPAA) protects the privacy and security of protected health information (PHI) & ePHI. Any US healthcare organization that stores, processes, or transmits PHI must meet its compliance requirements—including any business associates that perform functions or provide services on their behalf.  

HIPAA compliance is separated into two categories: 

  • Security rule – Ensures the confidentiality, integrity, and availability of health information 
  • Privacy rule Directs health information uses and disclosures 

Which data is protected? 

Together, these rules help covered entities and their business associates protect ePHI. Protected records include diagnoses, treatment information, test results, medications, health insurance ID numbers, and other identifiers. HIPAA also covers contact information, including phone numbers, addresses, email addresses, birthdates, and demographic information.  

All of this means that US healthcare entities will want to make sure they’re ready for the next audit conducted by the HHS Office for Civil Rights (OCR). 

How to comply with HIPAA regulations 

The HIPAA Security Rule specifies that covered entities must establish and maintain protections that defend their organization against breaches through any administrative, technical, or physical means possible. 

The relationship between HIPAA & cybersecurity 

HIPAA requires companies to not only protect information, but also to perform risk analysis pertaining to ePHI confidentiality, integrity, and availability. 

Having a robust cybersecurity program doesn’t make your organization HIPAA compliant, nor does compliance make it safe from cybercriminals. Rather, you require both a comprehensive HIPAA compliance program and a security program that can guarantee patient data security. 

Compliance for unmanaged and unrestrained devices 

In the US, more than 96% of critical care hospitals and over 83% of regular hospitals have adopted electronic healthcare records (EHR) systems, according to the Health IT dashboard. But such widespread adoption has led to more sophisticated hackers, as an ever-increasing number of healthcare professionals regularly access patient files on their personal devices. 

So, while healthcare organizations attempt to keep patients’ data secure, more breaches become inevitable with the prevalent use of widely distributed, unmanaged devices. This is one of the reasons why ~90% of hospitals have reported a breach in the past two years. 

HIPPA and SaaS/web applications 

Healthcare organizations’ use of SaaS and web applications has dramatically increased in the past few years. With the rise of telemedicine and remote working, many healthcare organizations have embraced apps like Teams, Zoom, and Slack to get work done. That said, the original HIPAA was enacted in 1996 – long before such cloud services were available. In this digital age you must ensure you meet compliance regulations; here are a few compliance requirements that cloud-forward healthcare organizations should implement.  

The complication arises when entities use medical software for personal use. For example, HIPAA applies if a doctor asks a patient to wear a portable data collecting device, and the data is later shared through a cloud-based web application. 

Unmanaged devices and three associated HIPAA risks 

Meanwhile, the HIPAA of 1996 states that healthcare professionals are in violation every time they access patient records over an unsecured or unmanaged device. They’re also subject to steep fines ranging from $100 to more than $3M, with the average settlement being around $1.1 million.  

Risks associated with remote ePHI access include: 

  • Access – Policies ensure that remote ePHI access is only granted to authorized users based on their organizational role and specific need for access. 
  • Storage – Storage policies address security requirements for devices containing ePHI that are moved outside of the covered entity’s physical control. This includes laptops, hard drives, backup media, smartphones, USB flash drives, and any other data storage item that could potentially be removed from an organization’s facilities. 
  • Transmission – Transmission policies ensure ePHI integrity and safety when delivered over networks. This includes direct data exchange (e.g., in trading partner relationships), as well as provisioning of remote access to applications hosted by an organization (e.g., provider’s home access to e-Prescription systems or webmail, where ePHI might be included in internal communications). 

How Talon’s solution can enable HIPAA compliance 

Remote, unmanaged devices used by healthcare entities present unique data privacy and security challenges. Implementing Talon’s secure workspace is the solution to ensure full HIPAA compliance while guarding against cyber breaches. 

Access – Talon’s secure endpoint browser – TalonWork – provides a unique approach to solving access issues: 

  • TalonWork browser requires users to authenticate using Talon’s identity and access management (IAM) solution or by integrating with any other IAM solution. 
  • For services lacking single sign-on (SSO) integration login can be done with a built-in password manager. That way, logging into such services is only possible via TalonWork – automatically filling in passwords. 
  • TalonWork is protected from physical access: upon running TalonWork and while leaving a device idle, the browser gets locked, requiring the user to again provide their passcode. This protects a device if it’s left unattended, is lost, stolen, or is accessed by your users’ household members. 
  • TalonWork can allow additional policies restricting access based on rules such as device security posture and other specific attributes. 

Storage – TalonWork protects the organizations’ local data and files, enabling remote work while keeping control of data assets.

  • Storage of data assets on the device and on online services can be restricted, based on the organization’s policy and based on attributes of the data. 
  • Additional encryption layers are added to data stored on the device. 
  • Decryption and viewing of data on the devices can be controlled based on policy and different scenarios. 

Transmission – TalonWork provides control over data leakage through current methods, including data loss prevention (DLP) and encryption (as seen in our online demonstration): 

  • Transmission of data assets to the device and to online services can be restricted, based on the organization’s policy and based on attributes of the data. 
  • Disparate avenues of data leakage can be controlled by organization policies – adding an additional layer of encryption, and blocking data transfers. 
  • TalonWork provides granular visibility into data transferred to and from any endpoint. 

Be the first to know.