Healthcare security and HIPAA: Why compliance and security are still lacking

Why HIPAA compliance is lacking in smaller practices, and where to begin

stethoscope with pills and healthcare items

A number of healthcare data breaches have made the news of late, particularly involving large insurance companies and data clearinghouses. As the media portrays the situation, our private health information is leaking to the outside world at an alarming rate. Based on BitSight's recently-released Third Annual Industry Benchmark Report, we should not be surprised. Based on the BitSight report, the healthcare industry is near worst in overall security, with only education below them. 

The data available prompts one big question – why is the security of our most personal data so poor? By comparison, security in the financial industry (best in the BitSight report) is well addressed, with significant guidance and oversight being provided by PCI, GLBA and other bodies of regulations. The healthcare world has HIPAA, which admittedly, as security standards go, is fairly weak. That being said, it does not appear that it is being followed well. 

In her article Why are healthcare data breaches so common?, author Stephanie Tayengco suggests 5 reasons why 91 percent of healthcare organizations reported at least one breach over the last year: 

  1. Systems are old and complex
  2. Health IT is 95 percent manual work
  3. Disjointed monitoring
  4. "We’re already HIPAA compliant”
  5. Health data is valuable 

I tend to work with smaller healthcare organizations, the front lines of the healthcare cyberwar. They have less data than the big guys, but are usually much easier to hack. While Tayengco's list is quite appropriate for the industry as a whole, I see a somewhat different story in the niche I work with:

Transition to EMR without considering security 

Many smaller practices are adopting electronic medical record (EMR) systems. This is prompted partly by financial incentives available under the HITECH Act, and partly because an EMR system is seen as a pathway to HIPAA compliance. In most cases, practices are selecting “HIPAA compliant software,” thinking that the selection constitutes their compliance and as a result resolves their security issues. Sadly, this is a myth often spread by software companies as a sales tool. Compliance impacts the totality of a practice, not just the software used. 

Buy something that says “HIPAA,” and you are covered 

HIPAA is a complex standard, and not documented in a way that folks in medical practices can easily comprehend the requirements. As such, I have observed that a practice will buy something that claims HIPAA compliance, be it a secure email system, an encrypted storage system, etc, and assume that the purchase makes them compliant, and therefore secure. Again, HIPAA applies to the totality of a practice. It cannot be met by the purchase of a single product, no matter what the sales person said. 

No monitoring 

Tayengco is exactly correct in her point about disjointed monitoring, but again, that applies to the larger organizations. What I see in smaller practices is the complete lack of monitoring. These folks generally have no idea how to even open a log file, let alone review it. They often assume that their IT provider is handling it for them, which is usually not the case. Their network may be under attack, and they don’t even know it. 

Ignoring paper records 

While adoption of EMR by smaller practices has been strong, paper records almost always remain. This may result from the decision not to add archival paper records to the EMR system, or because they serve as a bit of a security blanket. Whatever the reason, they often sit in unlocked file cabinets with no controls in place, leaving them open to insider threats. 

Lack of basic network protection 

In my experience, smaller practices are not much different from small business in general with their adoption of basic security controls like firewalls, strong wireless systems and data encryption. I rarely see these practices properly adopted in any small business, medical or otherwise. 

No training or policies 

Have you ever tried to put together a bike for one of your kids at Christmas without the instructions? Unless you happen to be an engineer, attempting this will result in a string of expletives, and a disappointed kid. In the HIPAA world, we seem to expect staff members to fill their roles in the compliance effort without understanding what they are, or having the necessary basic training or skills to pull it off. We would not think of putting a medical office employee with a patient without the necessary technical training, so why is compliance different? 

I am just too small for anyone to mess with 

This may be the most common excuse I hear in small practices, and small businesses in general. Those in smaller groups consider themselves invisible as compared to Anthem, Blue Cross, or a large hospital. They miss the fact that they are usually easy to breach, and readily found on the Internet. If they use Comcast as their internet provider for example, their business information is likely on the Comcast website as a public hot spot

Unfortunately, while data breaches involving the big players usually become known reasonably quickly, patient data may be leaking from the smaller practices without anyone ever knowing. Once patient data hits the black market, we may never know its source. This makes the lack of security at smaller practices very dangerous. 

Addressing compliance and security

If you are reading this as a member of such a practice, here are the steps you should begin to take immediately to address compliance and security: 

  • Understand HIPAA requirements, and formulate a compliance plan
  • Implement essential security practices on your network
  • Training your employees, and give them policies and procedures to follow
  • Monitor your systems and logs for evidence of issues 

If the above seems a bit overwhelming, there are many organization's available to help. If you are reluctant to spend the money for such help, keep in mind that you would never consider fixing your X-Ray machine yourself. If you don't have the time or expertise for HIPAA/security, hire someone who does. 

Bottom line – as a small practice, you are not invisible. Rather, you are the front line of the battle. Recognize that you are at war with those who would steal patient data, and begin fighting back.

Copyright © 2015 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)