Confusing HIPAA Compliance With Security

Posted on October 2, 2014 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

Most people  who read this publication know that while HIPAA compliance is necessary, it’s not sufficient to protect your data. Too many healthcare leaders, especially in hospitals, seem satisfied with the song and dance their cloud vendor gave them, or the business associate that promises on a stack of Bibles that it’s in compliance.

I was reminded of this just the other day when Reuters came out with some shocking statistics. One particularly discomforting stat it reported was the fact that medical data is now worth 10 times more than your credit card number on the black market (even if John has argued otherwise). Why? Well, among other things, because medical identity theft isn’t tracked well by providers and payers, which means that a stolen identity can last for months or years before it’s closed down.

Healthcare is not only lagging behind other industries in terms of its hardware and software infrastructure, but the extent to which its executives give a care as to how exposed they are to a breach. Security experts note that senior executives in hospitals see security as a tactical, not a strategic problem, and they don’t spend much time or money on it.

But this could be a deadly mistake. As Jeff Horne, vice president at cybersecurity firm Accuvant, noted to Reuters, “healthcare providers and hospitals are just some of the easiest networks to break into. When I’ve looked at hospitals, and when I’ve talked to other people inside of a breach, they are using very old legacy systems – Windows systems that are 10+ years old that have not seen a patch.”

As if that wasn’t enough, it’s been increasingly demonstrated that medical devices — from infusion pumps to MRIs — are also frighteningly vulnerable to cyber attacks. The vulnerabilities might not be found for months, and when they are, the hapless provider has to wait for the vendor to do the patching to stay in FDA compliance.

So far, even the biggest HIPAA breaches — notably the 4.5 million patient records stolen from hospital giant Community Health Systems — don’t seem to have generated much change. But the sad truth is that unless hospitals get their act together, focused senior executive attention on the issue, and spend enough money to fix the many vulnerabilities that exist, we’re likely to be at the forefront of a very ugly time indeed.