Confusing HIPAA Compliance With Security

Most people  who read this publication know that while HIPAA compliance is necessary, it’s not sufficient to protect your data. Too many healthcare leaders, especially in hospitals, seem satisfied with the song and dance their cloud vendor gave them, or the business associate that promises on a stack of Bibles that it’s in compliance.

I was reminded of this just the other day when Reuters came out with some shocking statistics. One particularly discomforting stat it reported was the fact that medical data is now worth 10 times more than your credit card number on the black market (even if John has argued otherwise). Why? Well, among other things, because medical identity theft isn’t tracked well by providers and payers, which means that a stolen identity can last for months or years before it’s closed down.

Healthcare is not only lagging behind other industries in terms of its hardware and software infrastructure, but the extent to which its executives give a care as to how exposed they are to a breach. Security experts note that senior executives in hospitals see security as a tactical, not a strategic problem, and they don’t spend much time or money on it.

But this could be a deadly mistake. As Jeff Horne, vice president at cybersecurity firm Accuvant, noted to Reuters, “healthcare providers and hospitals are just some of the easiest networks to break into. When I’ve looked at hospitals, and when I’ve talked to other people inside of a breach, they are using very old legacy systems – Windows systems that are 10+ years old that have not seen a patch.”

As if that wasn’t enough, it’s been increasingly demonstrated that medical devices — from infusion pumps to MRIs — are also frighteningly vulnerable to cyber attacks. The vulnerabilities might not be found for months, and when they are, the hapless provider has to wait for the vendor to do the patching to stay in FDA compliance.

So far, even the biggest HIPAA breaches — notably the 4.5 million patient records stolen from hospital giant Community Health Systems — don’t seem to have generated much change. But the sad truth is that unless hospitals get their act together, focused senior executive attention on the issue, and spend enough money to fix the many vulnerabilities that exist, we’re likely to be at the forefront of a very ugly time indeed.

About the author

Anne Zieger

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

9 Comments

  • Absulutely dead-on. Oddly, we find our smaller clients more focused on actual security, and hospitals tending to be happy with checking off the boxes. Good post.

  • Andrew,
    I read it too quickly and thought you were talking about my site. Although, I wondered how that was possible since I’ve had my images for years and someone would have certainly pointed it out. Then, I read your comment more slowly and saw you were referring to Matt. Woops! I hate when that happens.

  • What Matt said makes sense; merely checking off the boxes might mean a technical compliance with HIPAA but unless you have a real attitude for security, with staff, techs, execs and everyone else taking it seriously you will have breaches. Someone told me that leaving patient folders in a holder on an exam room door to make it easy for the doctor to find them is ‘legal’. I don’t know if that’s true, but let’s assume it is. And that it’s amazingly easy in a quiet hallway to take a peak at someone else’s folder. Of course, if one had all patient data in a properly secured system, and if staff did a screen lock when walking away, then the ‘folder on the doorway’ would never happen and there would be no security weakness.

    BTW, I’m not aware of any HIPAA regs regarding ongoing use of Win XP, yet plenty of doctor’s offices (and I suspect hospitals) still use it even if their systems are internet connected. Poor security, may or may not be a HIPAA violation.

    Ron

  • John, that makes sense. What doesn’t of course, is that any doctor or hospital would still be using it for patient data. Or go back to my paper folder on the door bit, which even if it is ‘acceptable’ under HIPAA, is IMHO immensely stupid and insecure.

    Ron

Click here to post a comment
   

Categories