I’ve not spoken to a single security professional, meaning someone who carries the experience, training and certifications to be called a CISO, who believes that they can adequately protect the healthcare organization they serve by simply being compliant with HIPAA. It’s time we let the air out of that balloon. The last couple of years, and in particular last year, showed everyone that data security in healthcare was no longer for the faint of heart. Securing healthcare today is the business of serious organizations and serious men and women with real skills. HIPAA is neither a suitable standard nor a framework for protecting a modern, diverse, hyper-connected enterprise. We live in an information ecosystem that is evolving at a rate that is straining our ability to keep up.
One very simple example of this is how rapidly antivirus solutions that depend on antiquated signature based approaches are failing to keep up with the proliferation of malware. More than half the malware that is produced today is not recognized by those solutions. The folks who are on the front lines of defending healthcare systems’ information deserve and need something better than the HIPAA Security Rule, a compromise solution developed more than a decade ago.
We need to accept and recognize that there are bad actors within our midst and outside the gates. Last year saw no abatement in insider abuse, and according to the latest RedSpin survey, at least half of the major breaches involved hacking. According to several other studies at the end of last year, over half of the respondents believe that their number one threat is the insider that makes mistakes or engages in inappropriate behavior. Yet we still see a very low percentage of organizations that are truly monitoring user activity. Last year we saw virtually every type of cyber attack known occur in healthcare. Many of these attacks targeted workforces and weaknesses in our networks, demonstrating over and over again the nature of the conflict. Those who are trying to defend have a much more difficult job than those who are trying to compromise. Still, we continue to do things like enter into third party supply chain relationships with nothing more than a Business Associate Agreement (BAA), because someone said that’s all HIPAA requires.
There are plenty more examples of why that approach is flawed. I’m reminded of something my mother used to say when she would overhear me or one of my siblings repeat something that someone else had said that did not make sense. Mom would say, “If Johnny or Sarah want to jump off that bridge are you going to go too?” She was reminding us to think for ourselves, reminding us to use our intellect. Does it really make sense that a BAA, a document with no due diligence, no attestation and no audit is actually going to protect you? It doesn’t make sense in the finance sector, or the payment card sector, or the government, and many others that have third party security requirements as part of their standard. So why in healthcare? It doesn’t. We need reasonable measures designed to address security throughout the lifecycle of those relationships.
The HIPAA Security Rule was conceived more than 15 years ago. Since then, all other standards that address security, ITIL, ISO, NIST, PCI, etc., have gone through multiple updates and changes. Even new areas such as cloud, mobility and medical device security have emerged, areas that HIPAA never envisioned, have been added to those other standards. Some would say the rule did embrace these new technologies and approaches because it is so vague in its requirements and approach. Others would say that same ambiguity has been one of the underlying problems with the rule ever since its inception, as it doesn’t provide enough detail or clarity for organizations to understand exactly what is required of them. The fact is, the rule represents a best case compromise at trying to develop a standard that works for all – from the smallest medical practice to the largest hospital network. Unfortunately, this approach is now failing. At a time when the industry needs more, it is providing less.
Many surveyed by RedSpin felt that security training is failing and did not cover the information that workforce members really need to be effective and is not in step with today’s environment. If that training is based on HIPAA, it’s no wonder participants felt underprepared. The HIPAA Security Rule speaks to less than a handful of topics that users should be educated on. Does anyone really believe that the environment that average healthcare workers function in today is really that simple when it comes to data security? Once again, HIPAA as envisioned in 2001 and enacted in 2003 fails us. The reality is that it’s just not that simple anymore, if it ever was, and healthcare workers like many other professionals who rely on systems and data to do their jobs require and deserve better. If there is anyone out there who still thinks that the bad actors outside the gates are not coming, just ask Community Health or Anthem if they agree. These, and other high profile incidents, should have convinced everyone that healthcare organizations and the information they hold is absolutely a target. Healthcare needs to focus on creating effective security programs and architectures, based on an up-to-date, credible security standard. It’s time to rethink the HIPAA Security Rule and assess whether it’s still adequate.