How emerging cyber threats are transforming the HIPAA landscape
The health data security landscape today is very different from the one 21 years ago when the Health Insurance Portability and Accountability Act was passed into law. And despite the omnibus HIPAA Final Rule on Privacy & Security that HHS posted in Jan. 2013, which brought new safeguards to protect ePHI, healthcare CIOs and CISOs must be constantly on the ball, making adjustments to their cybersecurity plans to ensure they don’t run afoul of HIPAA rules.
That is increasingly difficult in the post-omnibus era of more sophisticated attacks, most notably ransomware, ransomworms and whatever comes next. Take the latest ransomware variant Defray, for instance, which is specifically targeting healthcare and education sectors.
“We're still trying to solve the inter-facility/interstate communication, but today there are many more tools that can help protect that information both when sharing internally as well as externally,” said Bill Ho, CEO of Biscom, a secure document and messaging systems company. “Not only is security important, but the ability to control access and provide audit control is just as important for both covered entities and business associates.”
Security experts said a shift to cloud technology can help hospitals better secure assets and comply with HIPAA.
“If you look at recent major breaches, they have largely been around network security; for example, Banner Health getting hacked via its food and beverage POS because it was on the same network as their EHR,” said Kate McCarthy, a senior analyst at Forrester Research who specializes in healthcare. “It is not enough to partner with HIPAA-compliant vendors.”
Healthcare organizations, however, still largely deploy systems of record such as EHRs and claims systems in on-premise environments with the false sense of security that on-premise is more secure than cloud-based alternatives, McCarthy said.
“They need the governance to enable state-of-the art security that covers the entire organization, from network to end-point to device to software and so on,” she said.
Cybersecurity has been an issue for some time, but it's become much more of a concern over the last few years, especially as medical records are relatively valuable on the Dark Web and fetch higher prices than other data that are sold and traded.
“To address this issue and minimize cybersecurity risks, health IT needs a two-pronged approach,” Ho said. “First, invest in the right IT tools that healthcare workers can trust to maintain patient privacy and security.”
Second, the cybersecurity mindset must be instilled in all employees on a regular basis -- with knowledge about not only how breaches occur, but how to better detect and respond to potential threats, especially social engineering scams, Ho added. That includes stressing the reality that protected health information is of increasing value to cyber-attackers.
“Though standards exist for compliance, protecting PHI requires advanced governance standards that ensure that not only is the local network compliant and secure, but that all software and all business associates are also secure,” McCarthy said. “Locking the door is no longer adequate to keep hackers away from PHI.”