Guest Column | August 9, 2016

Why HIPAA Compliance Does Not Equal Data Security

HIPAA Data Security

By Amit Kulkarni, Co-Founder of Cognetyx

Many healthcare organizations structure cybersecurity efforts primarily around HIPAA compliance. Because penalties for noncompliance are so stiff, the healthcare industry focuses on HIPAA and is consequently lulled into compliance complacency. This is an erroneous belief that mere compliance inoculates them from every imaginable cyber threat. Unsurprisingly, healthcare has the dubious distinction of being the most likely industry to experience a data breach.

The most recent study on healthcare cybersecurity published by the Ponemon Institute found nearly 90 percent of healthcare organizations — as well as 60 percent of their third-party business associates — experienced at least one data breach, 79 percent experienced two or more, and nearly half experienced more than three. HIPAA compliance is primarily about documentation and procedures, not technical safeguards, failing to delineate specific technical requirements. As it only provides general recommendations, even full HIPPA compliance can leave organizations vulnerable to attacks.

A Brookings Institution survey found many information security experts feel HIPAA does not sufficiently address modern cybersecurity challenges, particularly in large organizations with sophisticated IT systems. The proliferation of EHRs, electronic health exchanges for physicians to share information, and mobile technology to access health data have created more access points for hackers than ever before — and the burgeoning Internet of Things (IoT) will create even more vulnerabilities.

The fact HIPAA compliance alone does not equate to patient data protection is evidenced by the numerous healthcare breaches the past few years. Not only is this situation unacceptable, it is unsustainable. The average cost of a single healthcare data breach exceeds $2 million. Additionally, medical identity theft is even more damaging to consumers than credit card or banking theft.

A person’s identity consists of multiple pieces of information — a Social Security Number, past and current employers and addresses, even the individual’s medical history — which cannot simply be shut down like a credit card or bank account. Such information can be used to steal that individual’s identity or construct a new hybrid or synthetic identity combining real and fake information. The ramifications are life-altering, and the fallout may follow the victims around for the rest of their lives — not just the one or two years of identity theft protection health organizations often offer to consumers in the wake of a breach.

It is only a matter of time before the government enacts legislation beyond HIPAA to hold organizations responsible for the damages caused by identity thefts prompted by medical data breaches, similar to the way banks and credit card companies must absorb the cost of fraudulent banking charges. It is in the healthcare industry’s best interest to take proactive measures ow, before the government steps in.

Healthcare Data Security: Beyond HIPAA 

Healthcare organizations already train their employees on HIPAA compliance. This training needs to be part of a comprehensive, ongoing cyber security program that educates employees on all aspects of data security best practices and threat awareness, including:

  • using strong passwords that are changed on a regular basis
  • securing login credentials (e.g., never keep them on Post-It Notes stuck to computer screens)
  • never sharing their login credentials with anyone
  • not logging into systems from unsecured networks on unsecured devices
  • not removing hardware, such as laptops, tablets, and hard drives, from the building without authorization
  • never opening files from unknown sources
  • never transmitting sensitive data over unsecured networks
  • how to spot phishing emails

However, even these measures — far better than relying on HIPAA compliance alone — are insufficient. The Ponemon Institute report states half of all data breaches are the result of employee or third party mistakes. Even the best data security training program in the world cannot eliminate human error, nor will it address the threat of malicious insiders who actively seek ways to get around the rules. Technical safeguards are needed to provide an additional layer of protection against mistakes and insider theft.

Login credential misuse, including the one that caused the infamous Anthem breach, are usually detected when an alert employee notices someone is accessing a part of the system they shouldn’t be, logging in from an unusual location, or is otherwise using the credentials in an unusual manner. Unfortunately, having employees monitor networks for aberrant behavior around the clock is impractical and ineffective, especially in modern IT environments, where even a mid-sized organization could have hundreds of users and applications.

There is clearly a need for organizations to employ automated systems that continuously monitor the organization’s network, establish a baseline pattern for each individual user, pick up on any deviations from that user’s pattern, and then require additional authentication before allowing the aberrant action to proceed while simultaneously reporting it to the IT security team.

User behavior analysis is not a new concept; financial institutions have been employing it for years to combat credit card fraud. However, until very recently, this technology was cumbersome, expensive, and not entirely effective. In the past five years, major breakthroughs in modern data analysis, machine learning algorithms, and artificial intelligence have made it possible to employ behavior analysis technology that is relatively inexpensive, highly effective, and unobtrusive. Modern behavior analysis software runs in the background, silently keeping watch over an organization’s network without impeding the delivery of patient care.

Compliance with HIPAA is only the starting point of healthcare data security. Modern healthcare organizations need to employ comprehensive cybersecurity that combines continuous employee training and a culture of security awareness with technical safeguards, especially user behavior analysis.

About The Author
Amit Kulkarni is CEO of Cognetyx, the world’s first “Ambient Cognitive Cyber Surveillance” to help safeguard medical information. Cognetyx uses advanced machine-learning artificial intelligence to detect rogue users.