By Mathieu Gorge CEO and Founder, VigiTrust |
HIPAA was created in 1996, so it’s a fairly old piece of regulation. Back then, there were very few regulations around sensitive information pertaining to health data. HIPAA was designed to ensure that health systems, suppliers to health systems, clinics, and other healthcare entities followed five key rules: (1) Privacy Rule, (2) Transactions and Code Sets Rule, (3) Security Rule, (4) Unique Identifiers Rule, and (5) Enforcement Rule.
These rules relate to:
- The location of the protected health data
- The parties overseeing it
- Maintenance of the data
- The security method used to protect it
- The organization’s ability to demonstrate that it is secured
In particular, HIPAA had a very strong focus on disaster recovery and business continuity. It required a number of documents for a standard contingency plan, including a data backup plan, disaster recovery plan, emergency operation mode plan, testing and revision procedures, as well as application and data criticality analysis. The objective was to ensure that, should the protected health information be damaged or lost, exact copies could be created so that the patient’s treatment would not be impacted. Therefore, there was a need to create policies and procedures for restoring electronic protected health information, and for HIPAA entities to work in emergency mode when necessary.
HIPAA also included several provisions about managing third parties known as business associates. The goal here was to ensure that suppliers and others within the supply chain complied with all technical controls, policies and procedures. This would ensure that they would not become the weakest security link for the health system.
Why Health Data Security Matters
There are numerous frameworks, regulations and standards that talk about the value of personal data, but some concepts are different when it comes to medical information. For example, I’m not worried about losing my credit card because it’s covered under PCI and by contractual requirements with my bank, which itself has contractual obligations with the five major credit card companies. As such, I can be pretty sure that if my credit card details are stolen, I will get my money back. Essentially it’s just a case of changing my credit card details and moving on.
However, if somebody gets access to my personal information, that is a whole other batch of problems. I only have one set of medical data; I can’t actually really change it! So my health information, including my DNA and the details of any diseases or illnesses I might have, is something that I really need to protect as much as possible.
Criminals understand this, which is why we have seen a rise in blackmail regarding protected health information. Hackers are breaking into health systems’ networks, stealing personal health data, and then forcing patients to pay ransom in exchange for not making the information public.
As you can imagine, criminals have seen the Covid-19 pandemic as a major opportunity to target hospitals and health systems. Healthcare organizations, already a top target for hackers even before the pandemic, have seen a massive increase in attacks over the past year. Cybercriminals know that health systems are already under pressure, and they’re hoping that cybersecurity has fallen to the wayside.
Remote Work & Increased Risk Surfaces
Furthermore, healthcare organizations have had to revamp their architecture. Doctors and nurses are working as usual, but the administrative staff have been working from home for the past 12-14 months, just like in every other industry. Some of these remote employees are using their own devices to connect to the health systems. In the past, this would have been a big no-no, but when the pandemic began, the priority was to make sure that people were working, so security unfortunately took a back seat for a little while. As a result, we have potentially doubled or tripled the number of people accessing patients’ health data from home on laptops and devices that are less secure than on-site corporate tech.
Why HIPAA Needs to Modernize
The question now is, “Why is HIPAA no longer suitable?” The first challenge is that the user architecture has changed and the risks have increased over the past 12 months. The second very important item is that the medical software architecture has changed. We now have connected health systems with a user experience similar to that of the travel industry, allowing you to check in on your own using a QR code, have a private portal with all your information, and receive results on your portal and mobile device. The actual architecture of the software is based on a mix of cloud applications and back-end systems, whereas in the past it would’ve been only back-end systems and potentially a secure portal. In this context, software security is really key, and assessing the security of the medical applications’ architecture should be a priority. Unfortunately, HIPAA wasn’t really designed to do this, and while there are controls around software security, deployment and so on, it’s not as detailed as the newer regulations or standards such as GDPR or PCR. Health systems may well be subject to GDPR, CCPA and other regulations, but their key focus is really HIPAA. HIPAA does not prioritize software security, software architecture reviews, or secure coding, which is an issue because the attacks target the software at its core and look for vulnerabilities within the software.
In addition, with the advent of GDPR and CCPA, along with the equivalent of CCPA in Virginia and other US states, regulators are really focusing on the value of protecting personal data from a wide perspective, including medical data such as biometric data. Health systems also need to comply with this landscape of rules, and sometimes it is very difficult for them to do so.
How Health Systems Can Adjust
In order to comply with this very technical and complex suite of frameworks, health systems must ensure that the key decision makers — the board of directors and C-suite executives — are aware of their cyber accountability mandates. What I mean is that if you look at the responsibility of architecture within GDPR, CCPA and HIPAA, somebody has to be held accountable at the end of the day. You need a program in place that allows you to demonstrate you’re taking the right technical measures and have the right technical controls, policies, procedures, backups, etc. Unfortunately, what happens is that key decision makers go through what I call the 5 stages of cyber-accountability grief.
5 Stages of Cyber-Accountability Grief
The first stage is Denial: “Cyber-accountability does not apply to us! We are here to ensure that the health system is working, treat as many patients as possible, conduct research and, for organizations outside the non-profit realm of health systems, make profits.” The board sees this as their role, not being accountable to cybersecurity.
The second stage is Anger: “Please leave us alone! We appointed a chief security officer and compliance officer, and we have people looking after not only HIPAA compliance, but PCI compliance as well, for clients that pay by credit card. We’re already investing a lot of money.”
The third stage is Bargaining: “Okay, we know some health systems have been targeted and even received fines from HIPAA. We know that some organizations are being hacked, and protected health information is being stolen, but really that’s the job of others. Just to be safe, we’ll engage a big firm to conduct a security audit and demonstrate that we take it seriously.” While that’s a good first step, it is not actually an audit.
The fourth stage is Depression: “We’ve been hacked and issued a HIPAA fine because somebody stole a laptop belonging to one of our consultants. Suddenly the data was out in the wild, and I had to disclose that fact, which resulted in a fine of a few million dollars.”
The final stage is Acceptance, and this is where health systems need to be right now. Unfortunately most are only doing 50-60% of what they’re supposed to be doing.
The 5 Pillars of Security
At the end of the day, what health systems need to do is not rocket science: HIPAA does have very good controls, but you need to layer in software security, architecture, code reviews and so on. By and large, the best practices to achieve high levels of security and compliance are available. What I recommend as a way forward for those health systems who may not know where to start would be to look at simple methodologies like the 5 Pillars of Security framework, which I describe in my book, “The Cyber-Elephant in the Boardroom.” It’s based on the idea that if you look at HIPAA, CCPA, GDPR or any type of secure coding best practices, you always return to 5 common denominators: people security, physical security, data security, infrastructure security (networks, cloud, applications, third parties, fourth parties, business associates) and crisis management. This framework can be easily used to demystify the complex landscape that health systems must be in line with, and outline it in plain English and business terms that CEOs and board members can understand.
I believe that we are at an inflection point for health information protection. HIPAA needs to be reviewed and made more current to include language around software security and architecture, as well as new solutions in use by the medical profession and health systems. It should also map with other regulations that are topical at the moment, like GDPR and CCPA. By using very simple concepts like the 5 Pillars of Security and the 5 stages of cyber-accountability grief, health systems can very quickly regain control of this security and compliance challenge.