HIPAA compliance: At the floor of security requirements, not the ceiling
Learn more about healthcare data security at HIMSS16
Hardly a week passes nowadays without some news about a breach of private financial and healthcare data. These events are becoming so common that the idea of a breach even being newsworthy is questionable. Recent news about the ransomware extortion at a Hollywood, California, hospital, for example, was highlighted as special, but similar kinds of ransom activities are probably underreported. Retail stores, credit agencies, healthcare insurers and providers, and many other organizations have been attacked and possibly hundreds of millions of records are already being traded on the dark web.
This example of digital extortion offers a case in point about how data protection can be mischaracterized. Cyber extortion, or digital ransom, needs to be treated the same as a continuity of operations (COOP) or disaster recovery (DR) incident. Extortions such as these are likely going to be more common, and the only way to reduce the costs and frequency of the ransom demands is to treat the incidents as data breaches.
Responding to such breaches by recovering data and replacing servers, as would be the response to COOP or DR incidents, makes a lot of sense. Some institutions that are held ransom may not have proper COOP or DR capabilities, leaving them vulnerable to more than just cybersecurity extortion. By looking at immutable servers, immediate recovery, rapid COOP and DR responses, and related techniques, we can help the most vulnerable healthcare institutions be less susceptible to extortion demands.
Should breaches be prevented? Of course they should. Can all of them be prevented? Not in all circumstances, very likely.
Prudent risk management dictates that extortions and ransom of data are possibilities, and we need to mitigate them with tried-and-true COOP and DR approaches. As our journey from paper to digital, native and mobile-first medical records continues, moving from Health Insurance Portability and Accountability Act (HIPAA) compliance silliness into a highly disciplined, structured risk-management approach becomes very important. Its importance is protecting our most valuable assets both before and after breaches occur.
I characterize HIPAA compliance as silly because it’s not prescriptive enough. No two organizations that claim HIPAA compliance can be compared, and no method for assessing or scoring risk exists. HIPAA compliance can also be considered trivial because it’s based on regulations that assume paper-native workflows rather than a digital first approach.
Because of HIPAA, many people believe healthcare cybersecurity is somehow special. While HIPAA compliance is a necessity, its framework is insufficient for modern healthcare risk management and cybersecurity. HIPAA compliance needs to be treated as the floor of security requirements and not the ceiling. I believe that healthcare-specific cybersecurity and risk frameworks are going to do more harm than good because industry-specific tools almost always lag behind their industry-neutral counterparts. And seeing why is easy: those who procure cybersecurity tools in healthcare are fewer than the buyers in all other industries combined. Fewer users translates to less attention, and increased attacks surface as a result.
Healthcare IT security was covered extensively at #HIMSS15 in Chicago, Illinois, last year. But this topic is returning in a much more expansive way to #HIMSS16 in Las Vegas, Nevada. The event includes the IBM session, “Common Sense Approach to Protecting your Healthcare Organization Against Cyber Threats.”
When you attend the educational sessions and talk to vendors at this event, ask yourself what’s different about security for digital healthcare versus security for digital banking, digital government, digital retail or digital any other industry. If you hear speakers or vendors say healthcare is different—which is usually precipitated or accompanied by hand waving—ask them to be methodically specific. Certainly, healthcare workflows are different, the data quantities can be significantly higher, the business can be very specific and the risks can be more pronounced—often because of life-critical safety requirements. Whenever you hear the phrase, “we’re special,” ask these questions:
- Are healthcare insider threats somehow different than in other industries?
- Does healthcare workstation security differ from workstation security in other industries?
- Are healthcare-specific firewalls and intrusion detection systems (IDSs) available?
- Are hospitals installing special antivirus software that other industries aren’t using?
- Is URL filtering or are web-content gateways special in healthcare?
- Are any healthcare-specific user identity, credentialing or access management tools available? If so, what are they? If not, why not?
- Are smartphones and bring-your-own-device (BYOD) approaches somehow secured differently in healthcare?
- How is data security really, technically, different in healthcare than it is in any other industry?
- Is data loss prevention technology special for healthcare?
- Is HIPAA compliance really significantly different from the Federal Information Security Management Act (FISMA), Federal Risk and Authorization Management Program (FedRAMP), Payment Card Industry Data Security Standard (PCI DSS) and many other governance, risk management or compliance activities?
Honest answers to these questions—without the hand waving—should reveal that very little differences are evident between healthcare and other industries for the approaches, engineering lifecycles, technologies and tools used for cybersecurity. One exception is likely to be medical devices; the use of these devices are quite special and specific to healthcare settings. But what is different for the healthcare industry is how we apply these approaches and tools, which requires significant understanding of its workflows.
Buttressing regulation with technology
Am I advocating ignoring HIPAA compliance? Of course not. HIPAA compliance is the law, and it provides a reasonable legal and regulatory framework that allows for punishing negligence and incompetence.
What I am saying is that we should stop believing that HIPAA compliance means low risk or high security in the healthcare industry. The answer, “Yes, your data is encrypted and we’re HIPAA compliant” is meaningless to a hospital patient asking, “Are my medical records secure?” or an insurance plan member asking, “Will my data be protected?” It’s meaningless because no method for measuring compliance exists, and data encryption is less about real security and more about security theatre. Ask three different attorneys or three different IT professionals how to gauge HIPAA compliance, and you’ll likely get significantly different opinions from each. Perhaps frightfully, they’ll all be correct from a legal perspective, but just as likely incorrect from a technical one.
The solution is to move away from HIPAA compliance as a security goal, and instead embrace the disciplined Risk Management Framework (RMF) of the National Institute of Standards and Technology (NIST). Better yet, adopt other prescriptive risk-management practices that aren’t specific to the healthcare industry.
Getting realistic information
Attendees at HIMSS16 are encouraged to try and find out why or why not—when you have a choice—you should follow NIST or Department of Homeland Security (DHS) guidance, instead of HIPAA or healthcare-specific frameworks. If hackers don’t use different tools, should we follow different rules? If you have cybersecurity responsibilities, learn about the $6 billion DHS Continuous Diagnostic and Mitigation (CDM) program and how it can help healthcare institutions.
Zero risk is neither practical nor affordable. Establishing a risk profile with risk scores we can afford, both financially and in terms of human resources, can be achieved through several requirements:
- Honesty and transparency about the data to be prioritized for protection and requiring less vigilance; zero breaches is an unachievable goal, but zero loss of high priority data is possible
- Identification of threat vectors to focus on internally versus those that are to be outsourced; malicious code and unpatched software doesn’t care whether attorneys think an organization is HIPAA compliant
- Real data loss prevention, event logging and intrusion detection systems that are continuously monitored outside of the annual or quarterly HIPAA compliance windows
- Real response and recovery programs that can ascertain damage and clean up after a data spill