I get it. It’s easy to use a checklist to make sure things are done. I see this all the time when hospitals are ensuring they have cybersecurity covered. In fact, I see HIPAA risk assessments as many hospitals’ complete strategy to cybersecurity.
The problem with this?
There are too many to count. But outside of maybe a forgotten point that HIPAA was enacted over 10 years ago (and cybercriminals are devising and updating their attacks day in and day out), one of the biggest errors in approaching security from the standpoint of implement policies and then get the security in line to fit it is that policies approached this way don’t take into account how technology has been changing, how our behaviors and uses for technology have changed and certainly how our hospital’s risks have changed over time.
When hospitals devise their security plans, the majority look at HIPAA security policies and procedures and then follow suit in trying to fit technology fixes and behavioral changes to fit to those procedures.
BUT, the problem with this approach is that it breaks.
Even the Department of Health and Human Services (HHS) has recently realized that hospitals must change the way they approach security to make it common-sense, scalable and more actionable. Their latest recommendations break the mold of HIPAA compliance checklist standards into a more practical methodology for security.
The biggest recommendation from what HHS has recently communicated is that we need to change/ reverse the way hospitals approach security. They recommend that we turn from creating policies and procedures to first identifying threats and a strategy and only at the very end devise policies that fit those strategies.
You see, threats against healthcare organizations—and especially hospitals—have been growing for the past several years. Ransomware attacks, loss and theft of data and devices, phishing emails and threats against the growing number of internet-enabled medical devices requires consistent review and change of how we as healthcare security experts protect patient data.
I know it’s hard to break that habit of creating our policies first and then implementing them. But what we’ve learned (and I’m sure you have too) is that instead of creating less informed policies based on old data, we need to first understand the nature of our new problems—our new threats and vulnerabilities—and create sustainable and agile policies that accommodate what we now recognize as an ever changing threat landscape targeted squarely at us (rural healthcare).
If you don’t get anything else out of this discussion, I hope you start to think about one thing: HIPAA having HIPAA policies in place at your facility does NOT mean you are following them.
Based on hundreds of assessments we’ve done over the past year on hospitals that either have had attacks breach their networks or those worried about their cybersecurity as a growing threat to the sustainability of their hospitals and clinics, we’ve unrooted countless instances where policies were not being followed or were completely disregarded.
One of the biggest reasons for a disregard of HIPAA policies?
People weren’t involved in the equation. Technology was mandated. And so were uses of that technology. BUT many of the hospitals we’ve visited did not have consistent processes in place to make sure those policies were being implemented correctly.
Even on the technical side, keeping machines patched and up to date. Making sure users had the right amount of access to your network—and weren’t giving away the keys to your network with weak passwords, unchanged passwords, or too high of privileges. I could go on and on with hundreds of unique ways in which IT teams overlooked policies and how users didn’t understand how policies meant to protect them actually fit into their roles.
These hospitals didn’t understand how their lack of sound policies was a result of not having sound security strategies. They know one thing for sure: the world had been changing and they weren’t sure whether their security had caught up to the attacks they heard in the news nearly weekly.
And administrators have told me that they simply assumed that if there’s a policy, it’s being followed. But the problem is, none of them had the time or the resources to really dig into checking up whether security was actually being done in a way that actually protected anything.
Having evaluated everything starting from passwords—yes, your hospital has a policy (I’m pretty sure of that). But every time we look at your policy—which is very likely approved by HIPAA—and then look at the network (actually look at tens’ of different ways cybercriminals right now are hacking into hospital systems), we see they don’t match. In over 99.9% of password evaluations, there are dozens of vulnerabilities—weak or default passwords a hacker could easily breach. Passwords unchanged for 15 years. Users that don’t even work at the hospital anymore, but still with active accounts.
Let me assure you, I see your policies. I see that they require patches and updates applied to EVERY computer and server. I see policies require updated antivirus protection for every device. I see your policy of backups and encryptions.
But when I look on your network, guess what I see?
NONE of them done (or at least none of them COMPLETELY done). Even if your IT team is able to get around to doing some of the work some of the time, you can bet your dollar that criminals will invest all their time and energy to find the holes in your network—the things that either someone had ‘meant’ to get around to, but had too much other work or didn’t have the training to really configure that piece of security quite right.
And I’m not blaming your IT Director or your IT teams. I’ve lived in those shoes. I know that story. They come into work often early. The very first thing that happens when they walk into the door—someone has a problem. Once the hospital knows that your IT Director is in, guess what? Everyone has an emergency.
Even if he or she intended on getting to those security patches, removing a terminated employee from your active directory, or even doing a little research on how to better configure your firewall or make sure your vendors are being honest about actually doing work (many vendors sing a song, but normally are quick to make excuses).
I can’t blame these hardworking people! BUT, I CAN point out that they’re dealt a really hard hand in maintaining and watching over a hospital—which has a TON of valuable data to criminals.
And I CAN imagine that not all of your security (or even much of it) is the way it should be because I’ve seen all sorts of scenarios with my own two eyes.
My question to you: do you know if your network is secure? It may be compliant—I don’t care about compliance here. What I’m worried about is it secure?
Contact Us for a free hospital ransomware vulnerability assessment to start coming up with a new actionable strategy to address your security risks.
