Our HIPAA Compliance Solutions Cheat Sheet Maps Top Cybersecurity Controls to HIPAA Requirements

Meeting HIPAA compliance requirements can be daunting! But some good news is that many of the security best practices you should be doing anyway can also help with your HIPAA compliance. In this blog, we share our HIPAA Compliance Solutions Cheat Sheet of which HIPAA requirements map to the most effective cybersecurity controls found in LMG Security’s Top Security Controls of 2024. We’ll show you how these top controls relate to the HIPAA Security Rule requirements, so you can maximize your budget by implementing solutions that enhance both your cybersecurity and HIPAA compliance postures.

Many Organizations Don’t Realize They Need HIPAA Compliance Solutions

At LMG Security, our HIPAA compliance consultants regularly work with organizations in the healthcare space who have been tracking HIPAA forever and generally have established compliance programs. But we also hear from organizations outside of patient care who are realizing they are subject to HIPAA requirements. For some, this is due to providing benefits to their employees through a self-insured health plan. Others are asked by their clients to sign Business Associate Agreements, which obligate them to comply with HIPAA requirements to protect any ePHI related to their contracted role.

Whether your organization has been working with HIPAA for a long time or you are new to it, you will be pleased to hear that many of the steps you are already taking to protect sensitive data and systems are applicable to HIPAA requirements for protecting ePHI. However, remember that HIPAA is heavy on documentation requirements, so be sure you have these positive actions documented in policies to count as part of your HIPAA compliance solutions.

Mapping LMG Security’s Top Security Controls of 2024 to the HIPAA Security Rule

Every year, our team of cybersecurity experts publishes our top security controls for the year. This list considers LMG’s ongoing research on the current threat landscape, attack tactics, and data breach trends. We also consider the effectiveness of each control and the ROI.

To make things easier, we’re sharing our HIPAA Compliance Solutions Cheat Sheet that maps LMG Security’s top controls for 2024, with an explanation of how each control contributes to HIPAA requirements.

1. Data & Asset Inventory
   • You can’t protect what you haven’t identified. For HIPAA, the key questions are: What ePHI do you have? And where is it? Once you’ve got your inventory, you can ensure proper protections are in place.
2. Strong Multifactor Authentication
   • HIPAA has several safeguards for managing access to ePHI. A key factor in successful access management is strong authentication to prevent unauthorized access through technical enforcement of your access management decisions. HIPAA has a provision for password management, but LMG considers Multifactor Authentication (MFA) a must for strong authentication. Read our MFA tip sheet for details.
     1. Tip: Some of the HIPAA Security Rule’s provisions don’t speak directly to current protection standards. LMG encourages organizations to implement modern best practices for the controls, which often means going beyond the specific wording of the HIPAA requirements.
3. Endpoint Protection
   • HIPAA has provisions for protection from malicious software and workstation security, which are necessities for all organizations. Beyond antivirus, LMG recommends Endpoint Detection and Response (EDR) and Extended Detection and Response (XDR) solutions to defend against zero-day attacks, supply chain attacks, and other common cybersecurity threats. Alternatively, you can consider Managed Detection and Response (MDR) services, which include outsourced 24/7 monitoring and response.
4. Cybersecurity Training & Awareness
   • All organizations need regular cybersecurity awareness training for all employees. LMG recommends providing training monthly to address new threats and keep security precautions top of mind. We recommend KnowBe4, which offers HIPAA-specific training modules, including training on ePHI and how to protect it.
     1. Tip: HIPAA’s training provision was written before phishing tests became an expected part of a complete security awareness program. At LMG, we recommend you include phishing tests as part of your HIPAA compliance solutions.
5. Identity and Access Management
   • HIPAA puts a lot of emphasis on restricting access to ePHI to only those who need it for their specific job role. This is called Role-Based Access Control, and our team recommends this approach for all organizations to reduce the likelihood of data leakage and the potential impact of a ransomware or other incident. Combine RBAC with documented, consistent processes for access authorization, regular account review, and timely account disablement upon employee separation.
6. Scanning and Vulnerability Management
   • Regular scanning and consistent patch and vulnerability management are needed to meet HIPAA’s provisions for protection from malicious software and workstation security. Continuous automated vulnerability scanning is becoming the norm, as many organizations are finding monthly scans are no longer sufficient. With the explosion of zero-day attacks, continuous attack surface monitoring is crucial as a cybersecurity and HIPAA compliance solution.
7. Cloud Configuration
   • The same HIPAA requirements that apply to your on-prem assets also apply to any cloud applications that store or process ePHI. You should consider role-based access, account management, granular audit logging, backups, etc., and we highly recommend a cloud configuration assessment to close this common entry point for hackers. Read our blog on how to reduce your cloud and webapp risk for more details.
8. Penetration Testing
   • HIPAA’s Evaluation requirement requires periodic technical and non-technical testing. We recommend routine penetration testing to identify weaknesses that could be leveraged by an attacker so you can fix them before they are the source of an incident. Learn more in our external penetration testing blog.
9. Incident Response Testing and Training
   • Being prepared to respond to an incident can limit the incident’s overall impact. HIPAA requires an incident response plan and that your team is ready to respond, mitigate, and report. Consider LMG’s on-demand Cyber First Responder and Ransomware Response training to prepare your team to quickly identify and contain a data breach.
     1. Tip: LMG also recommends testing your response plan through an incident response tabletop exercise.
10. Advanced Backups
    • The HIPAA Security Rule requires contingency planning so your organization can respond to an emergency or other outage. While HIPAA is focused on disruption to ePHI systems, their steps make sense for all critical systems. You need advanced backups, training, and testing.
11. Supplier Risk Management
    • HIPAA’s focus is on ePHI, so the relevant requirement is for Business Associate Agreements, which must be put in place for suppliers or vendors who will create, receive, maintain, or transmit ePHI. However, this advice follows current best practices that all organizations should have a supplier risk management program for any supplier who accesses or stores your sensitive data or provides critical services. Security provisions should be documented in a contract or other agreement and be subject to initial due diligence and ongoing review.
      1. Tip: Vendor risk management can be a big job. At LMG, we recommend a risk-based approach. Start by identifying your suppliers who pose the greatest risk to your data and operations, then evaluate their security posture in the context of risk to your company.
12. Qualified Security Leadership
    • HIPAA has a required safeguard for Assigned Security Responsibility. It asks organizations to identify the official who is responsible for the development and implementation of policies and procedures that relate to your HIPAA requirements. This aligns perfectly with LMG’s recommendation that you have strong cybersecurity leadership to guide your security program. LMG offers a virtual CISO service to help organizations gain access to fractional security leadership.

We hope you found this cheat sheet of how HIPAA compliance solutions and cybersecurity controls overlap helpful in building a strong, cost-efficient HIPAA compliance program. Do you need advice on your HIPAA compliance solutions or filling in gaps for specific requirements? Contact LMG Security and our experienced cybersecurity consultants will be happy to help!