Is HIPAA lulling health orgs into a false sense of security?

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.govhealthit.com/news/hipaa-lulling-health-orgs-false-sense-security

With the first anniversary of the omnibus HIPAA Final Rule on Privacy and
Security just days away the question of whether the rule is making
healthcare organizations less prone to security problems -- or actually more
so -- has arisen.

"We live in this daze where many people think if they're complying with
rules then they're okay," said Larry Ponemon, chairman and founder of the
Ponemon Institute. "But security is a lot more complicated than that."

Indeed, HIPAA is "a federal floor of safeguards" that "does not guarantee
data protection is maximized," said Deborah Wolf, principal at Booz Allen
Hamilton.

Another contributing factor is HIPAA's intentional addressability, which
grants healthcare organizations perhaps too much flexibility in certain
security practices, namely encryption, even while ratcheting in guidelines
and laws concerning data breach notification.

"While you can implement the requirements in the best means your
organization sees fit, the risks associated with protecting the information
still exist," Wolf explained. "One can never fully protect against things
such as human error or malicious conduct, which account for many data
breaches."

A big part of the problem is how misunderstood the security landscape is by
many healthcare executives, according to Rick Kam, president of security
vendor ID Experts.

The sense that complying with HIPAA is enough, Kam continued, "lulls them
into a state of not taking action to do the risk analysis that is required,
to look at new vulnerabilities that are coming on the scene."

Adding to the complexity, as that one year anniversary of the omnibus rule
closes in -- it technically took effect March 26, 2013 though HHS' Office of
Civil Rights granted the industry 6 enforcement-free months ending Sept.
23, 2013 -- the state of healthcare security is something of a mess.

The slightest of silver linings is that the percentage of hospitals that
know they had a data breach within the last two years dropped from 94
percent last year to 90 percent this year when the Ponemon Institute
conducted field research for its Benchmark Study on Patient Privacy and
Data Security, published Wednesday.

Darkening that sky, however, is the finding that "criminal attacks have
increased by about 100 percent since 2010," Ponemon said.

With cyberthreats at a fever pitch, in fact, HHS joined forces with the
Department of Homeland Security and HITRUST to create C3 Alert, a
cyberthreat system engineered to inform healthcare organizations when
HITRUST's center detects a high probability that attacks are targeted at
the healthcare industry.

So attacks are up, breaches are constant, and the art and computer science
of information security is likely to get even thornier as the U.S.
continues digitizing its healthcare industry and has to not only protect
patient records but also trek into additional layers of security such as
authentication, data de-identification and identity management.

"The ACA is a black hole for security," ID Experts' Kam said of the Patient
Protection and Affordable Care Act, explaining that exchanges, both the
information and insurance kind, are not exactly stoking public confidence.
Kam points to Ponemon findings that show nearly 70 percent of the 388
participating healthcare professionals spanning 91 hospitals believe there
is less security because of the exchanges, and so it follows that 75
percent expressed concern about sharing data with the federal government.

Sharing data with contracted business partners is also of increasing
concern, Ponemon found, such that only 30 percent of those surveyed are
confident that business associates are appropriately protecting their data.

What will it take to get over the current security hump?

Perhaps the mother of all data breaches or spills: Like Target, only in
healthcare.

"It's going to take a large breach to get people to rally around security,"
Kam said, to which Ponemon concurred "unfortunately, I think only a
mega-breach would get healthcare organizations off their duffs and moving
in the right direction."

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!