Confidently deliver HIPAA compliance software with Sysdig Secure

By Alba Ferri - SEPTEMBER 9, 2021

SHARE:

HIPAA compliance law, the Health Insurance Portability and Accountability Act in long form, is one of the compliance standards the public and private healthcare companies need to address for building and maintaining public trust in telemedicine.

During the COVID-19 pandemic, telemedicine has been the solution to withstand the excess influx to hospitals and health centers, avoiding unnecessary exposure of patients.

Behind these healthcare services, there’s a good chance we find cloud-native applications running in Kubernetes or some managed-Kubernetes service in the cloud, right?

The sensitive health information that is collected and communicated among health care providers and patients has raised new concerns for data security and integrity.

If you are one of the companies that provides healthcare services and need to meet HIPAA compliance requirements, Sysdig Secure can surely help you with your security posture. Sysdig Secure Compliance features include SOC2, NIST 800-53, GDPR, etc., and also HIPAA. :)

At this point, implementation of regulations and systems that ensure appropriate limits on data access, use, and disclosure is a must.

What is HIPAA

The HIPAA law, approved in 1996, provides standards to protect individually identifiable health information which a system creates, receives, maintains, or transmits in electronic form.

The Protected Health Information (PHI) is your personal healthcare data, and the information included there is what HIPAA addresses in its guidelines in order to keep PHI private and confidential.

Doctors, nurses, and insurance companies are the covered entities, as individuals in a healthcare field that have access to PHI.

The HIPAA law also takes in consideration lawyers, accountants, administrators, and IT personnel that work with a covered entity in a non-healthcare capacity that can also have access to PHI. These are the Business associates, and many of them are responsible for maintaining HIPAA compliance as covered entities.

Why does your infrastructure need to be HIPAA-compliant?

The Office for Civil Rights (OCR) at the U.S. Health and Human Service (HHS) released a HIPAA Audits Industry report with OCR’s findings from HIPAA audits the agency conducted in 2016-2017. These are some of the findings:

  • Only 2% of covered entities fully met the requirements, and two-thirds failed to or made minimal or negligible efforts to comply.
  • 89% failed to show they were correctly implementing the individual right of access.
  • Approximately 70% of covered entities used breach notification letters that failed to satisfy regulatory content requirements, such as a description of the electronic personal health information (ePHI) breached and steps individuals can take to protect themselves from additional harm.

The report serves as a reminder of the seriousness in which OCR treats HIPAA compliance obligations, and healthcare organizations and their business associates need to address basic best practices. Of course, there are also HIPAA fines for those who do not meet HIPAA compliance law.

How Sysdig Secure helps you achieve HIPAA compliance

Software applications intended to be HIPAA-compliant need to adhere to certain standards.

Inside Sysig Secure, you will find the different controls that will tell you if your workloads do or don’t pass that particular HIPAA control.

Sysdig Secure screenshot showing HIPAA-WORKLOAD compliance report
Fig1. HIPAA-WORKLOAD compliance report

For every control, you can find a small snippet with information (green box) about the particular control, why it’s needed, and how we actually check it.

In the following example, Sysdig checks if Audit/System logs are being captured for all application servers, database, caching layer, or any other components used in a HIPAA-compliant service. In case of a HIPAA breach, this data can be used to track the users who were accessing the system during that time. Also, we can identify the users whose data was compromised.

Sysdig Secure detailed screenshoot showing control 164.308(a)(1)(ii)(D) Procedures to review system activity
Fig.2 – 164.308(a)(1)(ii)(D) Procedures to review system activity

Sysdig Secure provides a section with guided remediation actions (red box) you can take in case you do not pass the control.

HIPAA compliance for workloads running on AWS cloud

So whether your workloads are running on an on-prem environment or if you have already migrated them to the AWS cloud, Sysdig Secure will help you with the security posture of your HIPAA compliance software.

Because healthcare information is such a sensitive asset, there are many important privacy and security risks you will want to avoid in healthcare software applications:

  • Breach of confidentiality when collecting sensitive data.
  • Unauthorized access to data stored on devices.
  • Deceptive distribution of software to the patient.
  • Violation of privacy during transmission to the provider’s system.

Sysdig Secure screeshoot showing HIPAA-AWS compliance report
Fig 3 – HIPAA-AWS compliance report

Conclusion

There are still pitfalls to overcome, but technology has already changed the concept that many people had of healthcare. Telemedicine, electronic prescriptions, or shared diagnoses through a platform are the new way to interact with health professionals, minimizing risks and saving time.

Security governance and compliance can no longer be an afterthought for healthcare IT leaders.

Sysdig Secure helps you protect your applications to avoid HIPAA fines and pass the HIPAA compliance controls. Want to see for yourself? Get started for free today!

Subscribe and get the latest updates