Much of the focus in recent news is on attacks on retailers and the financial industry. It is easy to see the results of these money-motivated attacks in the form of large thefts of money or credit cards.
As a result, it may surprise you to know your health care information is under attack. You are mistaken if you think that HIPAA’s data security protections are working to protect it. Health care organizations are not meeting the security table stakes. By rushing to implement electronic health records without minimum viable security, health care organizations are leaving the door wide open for criminals.
How Bad Is It?
A recent study by the Ponemon institute revealed that 94% of medical institutions have been victims of a cyber attack. So it’s safe to assume that your records were at least targeted by an attack.
The data-driven Health Care Cyberthreat Report from SANS reveals news from the battlefront. They tracked at least 375 healthcare-related organizations in the US as they were attacked and compromised between September 2012 and October 2013. They identified nearly 50,000 malicious activities toward healthcare-related organizations during that period. Health care providers saw the lion’s share of malicious traffic – 72%, and business associates were second with almost 10%. Also affected were health plans, health care clearinghouses, and pharmaceutical organizations.
Why Isn’t HIPAA Helping?
HIPAA stands for the “Health Insurance Portability and Accountability Act.” It was not designed to be a standard for security. It has data security provisions, which we have detailed in a series of articles on our website.
Data security is only one small component of the laws around HIPAA. The HIPAA rules around data security aren’t as prescriptive as the rules for the payment card industry. They are more open-ended and subject to the interpretation of auditors. HIPAA’s one-size-fits-all approach means that not every possible data security control makes sense for every size and type of business. And many business associates are still struggling to meet their required compliance with HIPAA.
Lastly, HIPAA audits have generally been only of the largest organizations. The department of health and human services seeks to make examples out of companies that fail to protect patient information. Larger organizations generate larger fines and larger headlines. Smaller health care organizations are not likely to see a HIPAA audit anytime soon, and therefore may fail to see the need to implement HIPAA-required controls.
Areas For Improvement
The 6th Annual HIMSS Security Survey, sponsored by Experian® Data Breach Resolution revealed some interesting findings. The survey respondents were from organizations with electronic health records or document imaging systems. Respondents self-identified as being responsible for IT or security.
97.5% of respondents revealed that they have a firewall in place to protect their networks, which is good news. But the remaining 2.5% are really bad news. How can an organization entrusted with protecting health information fail to meet such a low level of security?
And in the context of this survey, 19% of respondents had suffered a security breach within the last 12 months. On average, they rated their security maturity as a 4.35 out of 7. Only about half employed someone whose full time job concerned data security.
Where to go from here?
As consumers, we should support businesses that treat us right. In the case of health care organizations, this doesn’t just mean being a competent and friendly physician. It also means protecting our health care information.
Consumers should ask what their health care providers are doing to protect their information. Yes, everyone has seen those HIPAA privacy practices forms you have to sign or acknowledge on every visit. Instead of the privacy practices, ask the provider about their security practices. Ask if they’ve had a third party assessment performed of their security, or if they have passed a HIPAA data security audit.
Health care providers need to start with the security table stakes which every business must meet to function in the information age. Then they need to understand what minimum viable security means to their organization. Finally, they need to implement their plan to take them at least up to minimum viable security, and beyond.
Want to learn more about security table stakes and minimum viable security? Sign up for our free training-by-email here.