Healthcare Data Breaches In The Age Of HIPAA — A Chronic Or An Acute Condition?
By Adam Stern, founder, Infinitely Virtual
A recent study by the law firm Baker Hostetler revealed more healthcare data breaches occurred in 2015 than any other type of data security event. The report agrees with previous analyses indicating healthcare is consistently one of the industries most affected by privacy and security violations.
Violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) are especially difficult to detect and potentially calamitous because of that difficulty. If a single Social Security number leaves a healthcare provider’s facility, the loss can be catastrophic to the holder of that Social Security number. Almost by definition, data losses by smaller providers don’t hit the radar, or the headlines, but that doesn’t diminish their power to do real damage. In the case of that Social Security breach, every patient that provider serves is a victim as well. And smaller organizations have both a harder time being secure and being aware of their security situation.
It’s generally smart to install Data Loss Prevention (DLP), the standard software methodology to determine if a breach has occurred, but DLP isn’t a panacea and can monitor only so much. While DLP may make life easier, it’s certainly not required of HIPAA compliance.
While DLP software deployment is essentially a minimalist approach, that doesn’t make it any less necessary. But other risks abound and, without being alarmist, are actually becoming more acute. Distributed Denial of Service (DDoS) attacks are insidious and by no means limited to larger, more visible healthcare institutions.
Given the rising threat of malevolent actors subjecting hospitals and other enterprises to ransom demands and the sheer frequency of DDoS incidents, organizations need to up the ante in terms of how they regard security as well as how they anticipate and respond to the risk of business interruption online. Savvy hosting providers are implementing DDoS attack protection for their healthcare clients across the board. As the security environment changes, so should every organization’s response to that environment.
The perp in this case is the massive volumetric attack. These types of attacks represent something new and especially troubling, and no single firewall can stop them. According to industry analysts, volumetric attacks rank as the most common type of DDoS incident, accounting for an estimated 65 percent of the total reported.
What makes these volumetric attacks special? Consider that a front-line hosting company typically supports multiple one gig per second interfaces to the Internet. When someone begins a volumetric attack, they’re likely to send 800 gigs per second through a pipe that simply can’t accept anywhere near that much data.
New, state of the art volumetric attack protection provides real-time DDoS mitigation through automatic analysis of DDoS alerts and deployment of routing commands to ensure that immediate action is taken when legitimate DDoS attacks are detected — all without any human intervention. Volumetric attack protection is precisely the kind of proactive step that HIPAA-compliant providers need to take on behalf of their healthcare clients.
Every upstream provider that handles data needs to sign a business associate agreement (BAA) in order to be in the HIPAA food chain. A BAA under HIPAA is a sort of promissory note that the IT provider will adhere to the HIPAA law. But a BAA doesn’t compel compliance or insulate providers from liability or responsibility — that’s why healthcare providers looking for IT support need to exercise extraordinary due diligence. As of right now, there’s a persistent lack of clarity around HIPAA, and nothing has been tested in court. The fact is, HIPAA compliance comes with disturbingly few obligations. Perhaps owing to whatever legislative sausage-making gave birth to the law, HIPAA offers no guidance on how to follow it.
That said, healthcare providers are still subject to the full extent of the HIPAA law. The prudent strategy is to partner with a technology vendor the healthcare provider can validate as fully engaged in HIPAA protocols. HIPAA compliance should be regarded as a responsibility and an opportunity — not a burden.