My apologies for the obvious headline – or what should be obvious to all…
Why is this so difficult?
There seems to be a large number of cyber losses in the last 2 years in healthcare¹ and this data is from Health and Human Services originally.
The Future of health care and Electronic Records² article states how going electronic (in 2010) would give eventual more accurate diagnostics and more “sharing with family members securely”
Well, ‘obviously’ that did not work out. It was a colossal failure.
No one it seems thought about the hackers and what a criminal could do with your health records now that we conveniently put all health records on digital format…
Part of the problem was that it was so difficult in getting multiple systems from radiology, labs, and many other technical areas in healthcare to talk to the doctors that there was not enough of a thought given into security. Beyond the basic we have a firewall and have set up userids and passwords.
But in the Cybersecurity field we know having a basic filtering firewall is not enough.
As it is very easy to somehow get an infected computer and soon the hacker can have access to other computers, especially if there is no checks and balances on whether it is easy to attack the network or not.
If you are trying to find what should be done within the HHS website at the Enforcement Highlights³ section.
These are the most interesting items in the Enforcement
From the compliance date to the present, the compliance issues investigated most are, compiled cumulatively, in order of frequency:
- Impermissible uses and disclosures of protected health information;
- Lack of safeguards of protected health information;
- Lack of patient access to their protected health information;
- Lack of administrative safeguards of electronic protected health information; and
- Use or disclosure of more than the minimum necessary protected health information.
The most common types of covered entities that have been required to take corrective action to achieve voluntary compliance are, in order of frequency:
- Private Practices;
- General Hospitals;
- Outpatient Facilities;
- Pharmacies; and
- Health Plans (group health plans and health insurance issuers)
I guess that pretty much covers any entity within the health field.
HIPAA itself is the problem in my opinion. It is written like a law statute in the “Summary of the HIPAA Security rule” (4).
As I have heard from a HIPAA consultant, Hudson Harris, at Showmecon in June http://oversitesentry.com/hipaa-enforcement-10-of-any-covered-entity-will-be-audited-says-office-for-civil-rights/ Hudson said that the OCR Office of Civil Rights are investigating and enforcing HIPAA now.
The OCR office is in fact doing social engineering and trying to test “attack” offices.
Following is from my previous post:
6. There should be access protection both physical and digital
Hudson said that the Office for Civil Rights has been known to come in dressed as a flower delivery person to try to get into areas they should not, and then try to access computers (sort of like a social engineer hacker) And sometimes the Office for Civil rights takes this social engineering to a new level (sort of like social engineers themselves).
The HIPAA summary states that there are no hard and fast rules just suggestions and recommendations Example:
A major goal of the Security Rule is to protect the privacy of individuals’ health information while allowing covered entities to adopt new technologies to improve the quality and efficiency of patient care. Given that the health care marketplace is diverse, the Security Rule is designed to be flexible and scalable so a covered entity can implement policies, procedures, and technologies that are appropriate for the entity’s particular size, organizational structure, and risks to consumers’ e-PHI.
So the REAL problem is this ‘flexibility’ does not say what should be done. Not like at the PCI compliance document states you should test the servers, the network, hire pentesters and more.
HIPAA just says “Secure the data” “Implement policies and technologies”, Although the HIPAA government offices (OCR) are focusing on audits and enforcement using audits.
It would behoove all entities to get your own ethical hacker.
So _obviously_ you should know as an entity what you need to do. Just protect the data already!!
Our recommendation:
Test test test – use a qualified ethical hacker. Contact us
- http://www.ft.com/intl/cms/s/2/f3cbda3e-a027-11e5-8613-08e211ea5317.html#axzz3v4Z8h69i
- http://www.healthit.gov/buzz-blog/electronic-health-and-medical-records/the-future-of-health-care-and-electronic-records/
- http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/data/enforcement-highlights/index.html
- http://www.hhs.gov/hipaa/for-professionals/security/laws-regulations/index.html