Utter the acronym HIPAA to people in the medical profession and you will get a variety of facial responses, none of which have been, in my experience, a smile of contentment. Indeed, HIPAA’s privacy and security rules are often grumbled about as being burdensome and restrictive. The rules are increasingly criticized as ineffective these days and people are asking: How can an entity be HIPAA compliant and still suffer a breach of protected health information? By Stephen Cobb, Senior Security Researcher, ESET
Utter the acronym HIPAA to people in the medical profession and you will get a variety of facial responses, none of which have been, in my experience, a smile of contentment. Indeed, HIPAA’s privacy and security rules are often grumbled about as being burdensome and restrictive. The rules are increasingly criticized as ineffective these days and people are asking: How can an entity be HIPAA compliant and still suffer a breach of protected health information?
A medical approach to answering that question might be to think about infection prevention and control. Infection control protocols exist to prevent the spread of infectious diseases. However, it is not unheard of for a patient to get infected at a hospital or clinic that has such protocols in place. The reasons for such anomalies include lapses in conformance to the protocol and inappropriate protocol relative to potential infection vectors.
Such language maps closely to the demands of healthcare data protection, which could be described as the prevention and control of unauthorized access to protected health information. Clearly there is a need for healthcare organizations and their employees to fully comply with “policies and procedures that are appropriate to the threats.” Getting people to comply requires organizational commitment from the top down, backed by the adequate equipping and educating of staff at all levels.
But what if those policies and procedures are not appropriate to the threats? What if the infection vectors are different from those you trained to defend against or the threat agent more virulent than you supposed? In my assessment, that’s where a lot of health data security breaches occur, in that gap between established practices and emerging threats. Indeed, the difference between being “HIPAA compliant” and “secure” often comes down to underestimating threats.
As Community Health discovered to its cost this year, some threats are relatively advanced. By now, every part of the healthcare system should know that its systems hold the same kind of data – patient names, addresses, birth dates, telephone numbers and Social Security numbers – that was stolen from Community Health. That data that is very attractive to criminals, operating here in America or on the other side of the planet.
Anyone assessing risks to healthcare IT systems needs to know that, just as doctors and nurses go to work every day to help people, there are some folks who go to work every day to steal the data in those systems. Right now you can do that from somewhere like Russia with very little risk of being caught or punished because you can sell that stolen identity information on the black market. Who buys it? A different kind of criminal, closer to home, prepared to take a chance on identity theft.
For example, a crook who buys the type of data that was stolen from Community Health can use it to file fake tax returns that fraudulently claim refunds. That explains why, last April, scores of medical professionals were unable to file their returns: somebody else had already done it for them. And this is not a rare occurrence. In 2013, the IRS estimated there was about $29.4 billion in attempted identity theft (IDT) refund fraud. The good news is that $24.2 billion was prevented or recovered. The bad news is that $5.2 billion went to criminals, causing all kinds of trouble for the hundreds of thousands of people who didn’t get the refund they expect, some for as long as nine months after they filed.
In other words, when we talk about “IT security policies and procedures that are appropriate to the threats” we need to be cognizant that one of those threats is a multi-billion crime scheme that may be initiated from afar but is ultimately cashed out very close to home. Of course, hackers on the prowl for data to steal for use in identity theft are just one of the threats that needs to be taken into account as you develop appropriate IT defenses. However, if you are realistic about the nature of today's threats and address them with a goal of strong protection rather than mere compliance, you will create a much more resilient organization, one that is not only well-defended, but also defensible, should it ever come under scrutiny.
About the author
Stephen Cobb has been researching information assurance and data privacy for more than 20 years, advising some of the world's largest companies on information security strategy. A Certified Information System Security Professional since 1996, Stephen is based in San Diego as part of the ESET global research team.
