The HIPAA security rule recently passed the 20 year mark. Has security changed much in that time?
The cyber landscape 20 years has evolved considerably in the past two decades. Times certainly have changed! When the rule came out, for example, we didn’t use mobile phones in the same way we do today. Texting was not mainstream. And clouds were simply white puffy things floating in the sky (certainly not a place to store data!).
20 years? If we have to split hairs, the final security rule wasn’t introduced until 2003.
While the final security rule wasn’t finalized until February of 2003, it was first proposed August 1998 with the intent to keep health records secure and accessible. But that initial draft proposal (and the finalized version) both miss the mark when it comes to some of the threats healthcare face today.
As we revisit HIPAA today, most cybersecurity experts believe that we have to approach the legislation in a slightly different context from when it was first written. That is, to accommodate rapid progression of technology in healthcare and its application to privacy and security.
Don’t get me wrong—much of HIPAA’s security rule is completely relevant to any technology (the likes either created today in 2018 or back in the late 90’s). But strategy aimed at keeping healthcare organizations safe over time assuredly have changed (Note: if you’re not sure if your strategy has kept up with technology, most experts recommend getting a third-party network security assessment to make sure all of your bases are covered).
Should we revise the rule?
With the 20th birthday of HIPAA recently passed, many gurus in the cybersecurity arena have been questioning whether HHS should revise or at least provide better guidance to their 20 year old advice.
While some of the components of HIPAA remain virtually unchanged (guidelines relating to physical controls and some administrative controls protecting protected health information (PHI)), with technological advancements in both network penetration, monitoring and the Internet of Things (IoT), some health IT security experts are wondering if HIPAA compliance is satisfactorily keeping healthcare safe.
Bottom line: a LOT has changed in technology (especially in healthcare) in the last 20 years, warranting at least a review of how to best implement modern security strategies to address growing security concerns.
How does the security rule still apply to contemporary cyber threats?
The HIPAA security rule continues to invoke a culture throughout healthcare focused on compliance. Compliance essentially is an evidence-based approach to ensure security concerns are addressed. Through security standards (outlined in HIPAA-HITECH) come policies and procedures which outline specifically how each concern is being addressed. Most organizations do have policies and procedures specifically crafted around HIPAA-based security and privacy standards.
But as far as I’m concerned, no hacker has turned away from a set of policies and procedures. The contrary, they find ways through policies and procedures to exploit your network. Even well-written policies are no sure-fire defense against a hacker.
A few areas to consider about your network security that might not be obvious from HIPAA legislation?
Keeping business associates secure—one area that many healthcare organizations fail to address is how their healthcare partners (i.e., their business associates) are protecting patient records. Moving beyond compliance strategies that are simply focused on your organization and expand to how other organizations and vendors protect your patients’ records is critical in establishing a community focused on securing sensitive information.
Making sure the right technology is in place—more often than I’d like to admit, when our team performs a network security assessment in healthcare, there are big gaps in technology that could nearly eliminate the likelihood of your network getting infected with a ransomware virus or having a data breach. The problem is that many healthcare organizations—especially in the non-profit arena—haven’t optimized their technology stacks to address cybersecurity concerns (rather, opting for minimal compliance assurance which currently doesn’t do enough to protect from criminal cyberattacks).
Evaluating what your team is doing on network—while most users have no mal-intent when it comes to data breaches and attacks, many open the door wide open to attacks nonetheless. Since HIPAA compliance does not fully address how user behaviors interface with current security vulnerabilities (ex: phishing attacks), many organizations remain with gaping holes in their security strategies.
A few ways in which HIPAA could be improved going forward?
If HIPAA were to adopt the National Institute of Standards and Technology’s (NIST) guidelines for cybersecurity as a framework, many security experts believe healthcare security would be more comprehensive and updated as technology changed. Here are a few reasons why HIPAA may need a facelift in the next few years.
New types of sensitive information—as vendors access more personal information relating to patients, a reevaluation of what exactly is sensitive data (as defined by HIPAA) may be needed.
Lacking performance-based measures—many of the standards outlined in HIPAA are not associated with any kind of performance metrics to help healthcare organizations keep up with security. Likewise, HIPAA currently has insufficient ways in which organizations can take corrective actions to reach a desired state of security for their sensitive data.
False senses of security—with current standards 20 years old, HIPAA security is not keeping up with recent cyber threats. This makes healthcare especially vulnerable to targeted attacks.
Are you sure your HIPAA security is actually keeping your organization safe? Contact us TODAY for a free network security assessment.