May 17, 2017
With the massive WannaCry global cyberattack — and hospitals a focal point — the dire warnings of security experts are now an extraordinary reality. Hours after infecting one European computer, WannaCry captured entire networks throughout 50 countries including the British healthcare system. After a temporary fix,over 150 countries are still experiencing system locks by criminals demanding money, days later. American hospitals have not been major victims thus far. Do hospital leaders think HIPAA compliance has provided a dike against the tide? Think again…HIPAA is not security. If we continue to hope compliance is enough to protect our hospitals, we are likely to become the next victims of a super-ransomware attack. HIPAA security compliance was supposed to enable capable protection. But no. Why doesn’t compliance represent the security hospitals need against major cyber attacks?
It seems counter intuitive. Hospitals have worked to be HIPAA compliant, including meeting HIPAA’s security rules, for over a decade. It’s been expensive, and hospitals have improved their security. But until recently, the fact is that hospitals were lulled into emphasizing protections against basic risks like stolen laptops, improper data disposal or lack of encryption, as these caused most data breaches. The last three years have changed everything; the risks of computer hacking and intrusion grew sharp claws, as cybercrime became a painful reality in our industry. The reason? Money. Our patients’ and hospital employees’ personal information is very valuable in the backrooms of criminal data buying and selling — and hospital security compliance measures have been anything but bulletproof.
Even the most diligent HIPAA compliance does not equate to adequate security against sophisticated cyber intrusions. The difference is that security is the application of protections and management of risk posed by technology changes and cyber threats in real time. As a peer reviewed 2016 report in Science Translational Medicine explains: “Compliance is typically a top-down mandate based on federal guidelines or law, whereas security is often managed bottom-up. Compliance processes typically revolve around documentation, whereas security processes are embedded within the technology life cycle as systems are acquired, used, and discarded. Regulations and standards are typically updated and assessed on an annual basis, whereas the landscape of security threats and necessary protections changes so rapidly that security controls often must be updated daily, and even hourly.”
In other words, HIPAA security in many hospitals is not cops-and-robbers diligence: data-driven and risk-focused daily data security management. These organizations’ technology infrastructures have been supported fully or partially by compliance-driven backbones, basic security protections and confidence in their historical luck of the draw, e.g. no major past breaches. Typically, maintaining systems and data security has been one of many jobs of one IT staff member, and that job often takes a back seat to other concerns, particularly in smaller hospitals or organizations on a tight budget. For such compliance-driven cultures, the last three years of extensive criminal data intrusions and, now, WannaCry, should be a wake-up blast. Every hospital needs dedicated IT security cops to fight robbers that are becoming ever more aggressive and sophisticated.
Robust data security in any hospital must recognize that hospital operations are highly information-intensive and simultaneously subject to strong human involvement (doctors, nurses, etc), making the creation of strong security more challenging than in other sectors. It is also expensive and requires specialized expertise, issues that pose severe challenges for many hospitals. Some of these issues can be resolved by exploring inexpensive but effective cyber crime-protection measures. These may not be enough. Another option for organizations is carefully choosing external security partners or outsourcing IT to a professional outsourcing firm that includes cyber-security services (and other specialty support). Because these companies can leverage their expertise across more than one client, their services can reduce hospital IT security and management expenses.
As you ponder next steps, we have pulled together some quick but strong recommendations from our chief security expert for immediately upgrading hospital data security, and especially to provide better protection against a ransomware attack. Stay tuned to your email next week, when we will offer a full outline in Part 2 of this special security blog series.