Back in the early 2000s, when the HIPAA Security Rule was just taking off, I recall my excitement over the potential business opportunities. I had just started working for myself and saw HIPAA’s information security requirements as a great way for me to grow my consulting business. HIPAA Security Rule “enforcement” came and went in 2005. Years passed and the number of healthcare-related security breaches grew.
Congress subsequently passed the Health Information Technology for Economic and Clinical Health Act (HITECH Act) in 2009 which strengthened the original HIPAA Security Rule with new breach notification and enforcement requirements. In 2013, a new set of HIPAA rules called the Omnibus Rule were enacted to further strengthen the HIPAA and HITECH controls including a requirement that all business associates and their subcontractors must follow the HIPAA/HITECH requirements. Although, technically, the business associate requirements were in force in the original Security Rule.
The Department of Health and Human Services (HHS) has also streamlined complaint submissions and is performing further audits in 2016. Yet the known breaches keep occurring on a weekly basis it seems.
One of the most fascinating healthcare-related security breaches making the headlines recently was the ransomware that held computer systems hostage at Hollywood Presbyterian Medical Center in Los Angeles. $17,000 in bitcoins later, the systems were able to be unlocked. So much for HIPAA compliance.
Why are breaches so successful against businesses in the healthcare industry?
Well, for one, it’s because that’s where the money is, so to speak. Sure, some criminal hackers may want to access private health records for fun and games but the real value is in selling names, addresses, and Social Security numbers to facilitate identity theft. Criminal hackers also know that healthcare organizations, especially large hospitals and insurance companies as well as small physicians practices are known for their lax information security. When you count the move toward electronic healthcare records and the Internet of Things-type medical devices found in more and more facilities the security situation is only getting worse.
Here’s the problem with HIPAA compliance – you’re compliant up until the point of a security event.
Once an incident occurs, or a breach confirmed, the true colors of a compliance program start to show. Based on my experience and the research that comes out each year in the Verizon Data Breach Investigations Report, among others, many organizations don’t even know that they’ve been breached. I suspect that HIPAA-related infractions are much greater then we assume them to be. In a world where a Notice of Privacy Practices equals HIPAA compliance in the minds of many, it’s no surprise that the healthcare industry still faces these challenges. Now that there is more focus on business associates and subcontractors – the largest portion of the industry – we will continue seeing more HIPAA violations and healthcare-related security breaches.
In the end, compliance really means nothing. It’s merely an intangible state of mind in the eyes of the beholder. We don’t need more regulations. The original HIPAA security rule was plenty enough to prevent all of the known breaches to keep healthcare information in check. What we need is more discipline. A well thought out and well-managed information security program based on risks is the only viable way to address HIPAA over the long-term.
About the author
Kevin Beaver is an information security consultant, expert witness, and professional speaker with Atlanta-based Principle Logic, LLC. With over 27 years of experience in the industry, Kevin specializes in performing independent security assessments revolving around information risk management. He has authored/co-authored 12 books on information security including Hacking For Dummies and The Practical Guide to HIPAA Privacy and Security Compliance. In addition, he’s the creator of the Security On Wheels information security audio books and blog providing security learning for IT professionals on the go. Kevin can be reached at www.principlelogic.com and you can follow him on Twitter, watch him on YouTube, and connect to him on LinkedIn.