BreachExchange mailing list archives
Is HIPAA lulling health orgs into a false sense of security?
From: Audrey McNeil <audrey () riskbasedsecurity com>
Date: Tue, 18 Mar 2014 19:24:13 -0600
http://www.govhealthit.com/news/hipaa-lulling-health-orgs-false-sense-security With the first anniversary of the omnibus HIPAA Final Rule on Privacy and Security just days away the question of whether the rule is making healthcare organizations less prone to security problems -- or actually more so -- has arisen. "We live in this daze where many people think if they're complying with rules then they're okay," said Larry Ponemon, chairman and founder of the Ponemon Institute. "But security is a lot more complicated than that." Indeed, HIPAA is "a federal floor of safeguards" that "does not guarantee data protection is maximized," said Deborah Wolf, principal at Booz Allen Hamilton. Another contributing factor is HIPAA's intentional addressability, which grants healthcare organizations perhaps too much flexibility in certain security practices, namely encryption, even while ratcheting in guidelines and laws concerning data breach notification. "While you can implement the requirements in the best means your organization sees fit, the risks associated with protecting the information still exist," Wolf explained. "One can never fully protect against things such as human error or malicious conduct, which account for many data breaches." A big part of the problem is how misunderstood the security landscape is by many healthcare executives, according to Rick Kam, president of security vendor ID Experts. The sense that complying with HIPAA is enough, Kam continued, "lulls them into a state of not taking action to do the risk analysis that is required, to look at new vulnerabilities that are coming on the scene." Adding to the complexity, as that one year anniversary of the omnibus rule closes in -- it technically took effect March 26, 2013 though HHS' Office of Civil Rights granted the industry 6 enforcement-free months ending Sept. 23, 2013 -- the state of healthcare security is something of a mess. The slightest of silver linings is that the percentage of hospitals that know they had a data breach within the last two years dropped from 94 percent last year to 90 percent this year when the Ponemon Institute conducted field research for its Benchmark Study on Patient Privacy and Data Security, published Wednesday. Darkening that sky, however, is the finding that "criminal attacks have increased by about 100 percent since 2010," Ponemon said. With cyberthreats at a fever pitch, in fact, HHS joined forces with the Department of Homeland Security and HITRUST to create C3 Alert, a cyberthreat system engineered to inform healthcare organizations when HITRUST's center detects a high probability that attacks are targeted at the healthcare industry. So attacks are up, breaches are constant, and the art and computer science of information security is likely to get even thornier as the U.S. continues digitizing its healthcare industry and has to not only protect patient records but also trek into additional layers of security such as authentication, data de-identification and identity management. "The ACA is a black hole for security," ID Experts' Kam said of the Patient Protection and Affordable Care Act, explaining that exchanges, both the information and insurance kind, are not exactly stoking public confidence. Kam points to Ponemon findings that show nearly 70 percent of the 388 participating healthcare professionals spanning 91 hospitals believe there is less security because of the exchanges, and so it follows that 75 percent expressed concern about sharing data with the federal government. Sharing data with contracted business partners is also of increasing concern, Ponemon found, such that only 30 percent of those surveyed are confident that business associates are appropriately protecting their data. What will it take to get over the current security hump? Perhaps the mother of all data breaches or spills: Like Target, only in healthcare. "It's going to take a large breach to get people to rally around security," Kam said, to which Ponemon concurred "unfortunately, I think only a mega-breach would get healthcare organizations off their duffs and moving in the right direction."
_______________________________________________ Dataloss Mailing List (dataloss () datalossdb org) Archived at http://seclists.org/dataloss/ Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss For inquiries regarding use or licensing of data, e-mail sales () riskbasedsecurity com Supporters: Risk Based Security (http://www.riskbasedsecurity.com/) YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus on the right security. If you need security help or want to provide real risk reduction for your clients contact us!
Current thread:
- Is HIPAA lulling health orgs into a false sense of security? Audrey McNeil (Mar 21)