Originally Live streamed Oct 27. This week on the HIPAA Vault show, Adam and Gil discuss top tips to avoid EDI Data breaches in healthcare. Check out our website for more information on HIPAA EDI.
Transcript:
Adam
Hello, everyone.
Gil
All right. Hey, Adam.
Adam
Excited to be doing this second live stream. We did one earlier this week, and we got some good feedback. So happy to be going live again. I think what we wanted to talk about today is EDI a little bit further. We did do a podcast episode on EDI a couple of weeks ago, episode 32. So check that out if you want to get more information on what EDI is, but I’ll cover that a little bit. Gil, I think today what we want to talk about is things to avoid when dealing with EDI and Electronic Data Interchange, which is what it stands for, and how to avoid potential data breaches.
Gil
Yeah, I think you were calling it the top five ways that you could break the HIPAA regulations, especially when you’re using EDI. What could go wrong? Right. And I think this is a good one to cover because EDI is very popular. It’s used to transfer patient health information across from a plan sponsor to insurance company. It could be any one of many different directions. But the point is, there are things to consider, and today we’re going to cover what are those top five areas that you should really just double check to make sure things are set up properly and working right?
Adam
Yeah, definitely. And before we dive into it, I just encourage any listeners. If you have any questions at the end of this or during it, feel free to reach out during the stream. Or afterwards, you can reach out to us at podcast@hipaavault.com over email. You can reach out to us on X at hipaahosting, and you can always check out our website, HIPAA Vault.com, and we’d be happy to answer any questions you have. So, Electronic Data Interchange EDI is the electronic exchange of business documents in a standard format between organizations. And we’re talking specifically here about healthcare applications. So, as I mentioned, deep Dive, episode 32. Check it out. But what we’re going to talk about is where EDI can go wrong and give you five top tips on how to avoid data breaches. So, tip number one, gil, do you want to kick us off?
Gil
Yeah, I’d say. Okay. Sure. The first one that we have at the top of our list that you have to be careful with when using EDI to transfer patient information or protected health information is the encryption. So most everyone knows, oh, yeah, I got to have encryption. Okay. But you may not have sufficient encryption. It may not be to the standard. So make sure the encryption is you’re reaching the standard. So some of you may say, well, what is the standard? Well, you want to use something called AES encryption. There’s different levels of that, how many bits? So whatever software you’re using, just check to make sure you’re at the higher level. That’s the easiest way to describe it. The other thing is there are these things called cipher suites, and that’s what they call the handshake.
Gil
So when you make a connection between two points, there’s a handshake, a protocol that happens. So to establish the connection, they call it a handshake. You have to say, hey, this is who I am. Who are you anyway? There are algorithms used for that specific handshaking, and you could be using an older one that’s no longer considered secure. It has vulnerabilities. So make sure that the handshaking, the cipher suite protocols are robust and that none of them have been deprecated or end of life. And ask chat GPT, your friend say, hey, we’re using these protocols. Are they still current?
Adam
Okay, yeah, that’s great. And I think, important to note there that you might have encryption in one place, but if you don’t have it in all the places that it’s needed, then you’re breaking the potential security there. So encryption in transit as well as at rest, right?
Gil
Yeah, that’s right. Then the second one would be the data integrity issues. To make sure that your data isn’t corrupted in its journey from point A to point B, you can use the keys, the private public keys, to make sure things are properly encrypted and encoded and to avoid taking data that’s been corrupted. There’s something called a check sum. A check sum is used to see if the data reaches destination with integrity. It’s called a check sum. Easy to remember that word. And you could just ask your tech staff, hey, are we using a check sum to ensure the data that we’re receiving from some other party? If they send encrypted to you, if you’re the recipient, you could see the checksum. So that’s a good one, too.
Adam
Okay, number three.
Gil
Number three, we got lack of access control. So here’s a good one for you. So this would say, let’s say you did the technical part, right? The data is encrypted, it’s working well, it’s arrived its destination. But then there’s the tricky part of the humans, right? A lot of the breaches, most of the breaches in the world, and most of the problems we have are, guess what introduced by humans. Humans are the biggest cause for problems when it comes to breaches or not breaching and achieving the level of security that we should have. So one of those would be who’s looking at the data. So you have to be careful that those that are looking at the data are who you think they should be. And you may have a trusted third party partner that says, oh, well, they’re technical.
Gil
They know what they’re doing. They help me with this workflow that we have set up, and they access it. But if they haven’t signed a business associate agreement, if they haven’t signed a user access agreement, then you violated security best practices and HIPAA regulations. I say both because Baa is a HIPAA regulation where they have to sign a business associate agreement, and I say security Best practices because a User Access agreement is not violating a HIPAA regulation, but certainly violating security Best practices. So whenever you’re talking about sensitive data, then you want to make sure that the third parties or individuals handling it should have signed a User access agreement.
Gil
Now, all that really basically says is, hey, I understand, and I confirm and I acknowledge that I am given the privilege to access this sense of information, and I will be careful following security Best practices. And what I do as I view the data, or if I’m not even viewing the data, but just if I’m logged into the same place where the data resides, I need to behave in a certain way. So that would be the access controls.
Adam
Okay. Then on a broader level, I think number four touches on a more broader level, which is non compliance with HIPAA regulations.
Gil
Yeah, here’s an example of one. So let’s say that you have all these HIPAA regulations, right, and you think you’re following them all, but you might have missed something, and that could be a common one. Is that the place where the data, the sensitive data is resting? In other words, where it’s just sitting there? Is that platform, is that disk, is that computer system wherever it’s sitting, is that encrypted at rest? It may or may not be, right? You’d have to check. So let’s say you’re in the Google cloud where we like to host a lot of our customers that has encryption at rest. In other words, if you go and shut down the virtual machine, you say, okay, power it down. When it powers off, it’s now encrypted. So that checkbox is good.
Gil
Now maybe you’re hosting in a physical server in your data center. You say, oh, my tech guy told me it’s not encrypted. When we power it off, it’s not encrypted. That case, you’ve just violated the HIPAA regulations because you have patient information residing on a server that’s not encrypted when it’s powered off. So you have to just ask yourself that question.
Adam
Yeah, I think that’s a really important point. Another one would because HIPA compliance is a fairly broad kind of law and has a lot of regulations in it. Another one would be what would happen and what are the measures in place to worst case scenario, breach does happen and it goes undetected. How long is it going to go undetected for? Well, it could go undetected for months if there’s not proper auditing controls in place to make sure that you’re constantly checking who has access, what was accessed, when it was accessed, who data was sent to, all that stuff. And it kind of links into the access controls that we talked about in .3. But having the right policies and procedures in place there are crucial for HIPAA. Okay, number five backups.
Gil
Yeah, the backups is the final one. So you have this data that’s being sent back, and forth using EDI, it’s being transferred. So as the data is flowing through the systems from one party to another, if you’re the recipient of the data or you’re the sender of the data, either way, at some point, you should have the backups of those systems, like you would in any robust computer system. You need to make sure that you have your backup. So you might say, well, of course we have backups. We’re not dumb. We weren’t born yesterday. But here’s another question. So you have a backup that has the patient information. Well, is that encrypted now? Who can access that server?
Gil
Because now you’ve just transferred all the data somewhere else, and maybe you’re very keen and very aware of the HIPAA regulations in this server, but now when you go to the backup, it’s all starting all over again, okay, I didn’t do this there. I didn’t have the right people accessing. And maybe you have your backup technician, your backup storage engineer, and he’s messing with that. And he hasn’t taken any of the HIPAA training modules. He doesn’t have any knowledge that is sensitive data. He didn’t sign the UAA. All these things, all the things that you did follow and do on the main servers, but you forgot about it and didn’t think about it for the backup system. So that’s a whole now you’ve got to start over, in a sense, with the backup system to make sure it properly has encryption as well.
Gil
A lot of software that does backups, by the way, has an encryption checkbox that you can say, I need to encrypt the data that I’m receiving as I’m receiving. And when it’s at rest, when the system is powered off, it’ll be encrypted. So those are things that usually should be included, but perhaps it hasn’t been reviewed, and no one’s bothered to take the time to look at it and enable some of those features. So I would take a look at.
Adam
So those are the five top tips that we had. Gil, I wanted to mention that there’s a certain amount of black and white when it comes to security in HIPAA, but there’s a lot of gray areas. There’s terms that are used in the HIPAA law, like appropriate and adequate, and so they can really be big gray areas. So, yeah, I think the easier fixes are where it says you must do XYZ, but it’s the gray areas. And how do you define what’s appropriate and how do you find what’s adequate? That we certainly deal a lot with. Right?
Gil
Yeah. So I encourage whoever is listening today, if you have any questions or concerns, then reach out to us. We’re here to help you, and we can come alongside you and answer questions. So thanks for listening today. We really appreciate it. Yeah.
Adam
Thanks, everyone, for joining. So in this episode, live episode, we covered five essential aspects of EDI security. By addressing these challenges, healthcare organizations can strengthen EDI practices protect phi and maintain compliance with HIPAA regulations. If you have any questions, as always is, you can email us at podcast@hipaavault.com. Reach us on x at @hipaahosting. That’s all for this episode, and until next time, thanks for stopping by.