Securing healthcare information beyond HIPAA compliance
Information security in the healthcare industry focuses on complying with HIPAA regulations rather than ensuring that healthcare information is really protected. This approach is tactical and sometimes shortsighted. Since most hospitals and healthcare organizations have CIOs and CISOs dedicated to data control, data governance, security and privacy you would expect a more proactive approach. Unfortunately most of these organizations continue to approach data security in a very reactive way and – though it may seem obvious to consumers – often do not have a clear understanding of the value of the data they are entrusted with.
Things are beginning to shift as more and more CEOs and their boards are being held responsible for the consequences of a data breach. Executives are now looking at cyberthreats as a major risk to their business. While compliance is still a major driver in healthcare, compliance does not equal security. Organizations that drive data security efforts based on compliance put their data at risk. Healthcare organizations need to take a more holistic and proactive approach intheir data security strategy.
Locking the front door meets the letter of the law, but if the back door is wide open, personal information and valuable health records are still at risk. With compliance driving strategy, most healthcare organizations did what was needed to comply with the regulations, but as is evident from the constant barrage of data breach headlines, being compliant doesn’t mean you are protected.
According to the HIPAA Security Rule, covered entities and their business associates need to protect the privacy and security of protected health information (PHI). This requires appropriate administrative, physical, and technical safeguards to ensure the confidentiality, integrity and security of PHI.
Many healthcare organizations assumed that limiting access to PHI meets the HIPAA requirement. They have strict username and password authentication processes to ensure controlled access. But, as we have seen from many data breaches, stealing passwords and using them to gain access to sensitive information is far too common.
There are suggestions for using encryption as a method to ensure privacy and security, but the final HIPAA Security Rule made the use of encryption an addressable implementation specification. That means the organization can decide if encryption is a reasonable and appropriate safeguard in its risk management strategy. If not, it must document an equivalent alternative measure, presuming that the alternative is reasonable and appropriate.
Applying persistent controls to sensitive data ensures that you are always in control of the information regardless of location. This not only provides confidentiality, integrity and access control over the data, but also allows for control over actions taken while using the data. You can control who can edit, print, cut and paste, take a screen capture or save a local copy of files. Since these controls follow the data itself, you can maintain control even after it leaves the boundaries of your organization. By applying security at the file level, organizations can also ensure that any copies stored in cloud services, email systems or on mobile devices are inaccessible.
Putting end-point encryption on all desktops and laptops is a method that could meet the letter of the law. If adevice is lost or stolen, the information on the machine is protected, since the thief won’t be able to access it. Unfortunately this doesn’t stop someone who is legitimately using the PC from accidentally or maliciously moving the data off the PC and sending it elsewhere. Once the information is off the PC, it is vulnerable.
Recent legislation in New Jersey has gone a step further in mandating the use of encryption for PHI that renders personal information unreadable, undecipherable or unusable by unauthorized persons. This goes beyond allowing a user to access encrypted data with a password. It requires a more robust method to ensure that the user is validated against a directory service and that all components in the chain are secure. This law was in reaction to a breach at a local Horizon Blue Cross Blue Shield due to the loss of unencrypted laptops last year. After the massive attack on Anthem, Connecticut – the home to the healthcare provider’s headquarters – looks to follow suit. While HIPAA may not update its standards, state governments are recognizing the risks and are using state power to keep customer data protected. One can only hope their personal health records are governed by New Jersey.
Being compliant with regulations is no longer a guarantee that your sensitive information is safe. Insider threats and the escalation and sophistication of external threats is putting all organizations at greater risk. Don’t implement technology to satisfy compliance. Implement it to completely block the path to your most valuable assets.