This week, I spoke at a regional health information security conference with an underlying message that HIPAA is NOT keeping hospitals as safe as we’d like to believe. At first glance of my title “HIPAA Does NOT Secure” raised a few eyebrows in the crowd of information specialists and security officers.
But after a few minutes of explaining the title, the room was full of nodding heads—so much so that at one moment I thought I had been translocated to a bobble head convention (most information security specialists are often critical of talks—rightfully so—because their jobs demand close inspection and evaluation of problems before moving towards implementation). In the case of my message, the majority were in unanimous agreement that HIPAA is giving hospitals a false sense of security that their networks are secure when the reality is they are not.
Now don’t get me wrong! I love checklists. In fact, I strongly encourage them.
Atul Gawande and his Checklist Manifesto is one of my favorite books. Checklists DO have their place in hospitals, in medicine and I’d strongly argue in information technology and security. But checklists are not an end all be all to security.
The problem with most healthcare information security products, assessments and audits to date is that the majority rely completely on a checklist without giving context of your specific hospital, considering user behavior and determining network environments to come to a resolution as to (1) whether your hospital is safe and (2) recommendations on how to improve your information security and avoid ransomware attacks.
The crowd at the security conference were acutely aware that no one checklist was going to keep every user and every piece of protected data secure. Because the checklist did not consider their very unique circumstances and did not even consider how to improve their operational challenges—some of which may be the root causes of security issues at their hospital.
Many times the HIPAA checklists identify symptoms of more systemic problems that are never addressed. And the frightening part (if you were at the talk you already know the nitty gritty details of this) is that many of the folks that we’ve had to perform ransomware recovery or mitigation for actually presented me the checklist HIPAA audits where they passed with flying colors!
My first warning sign that HIPAA security was flawed and that hospitals were approaching HIPAA all wrong began in 2017 when prospective clients came to me concerned that their networks were breached even though they had an IT security company (3rd party group) give them a passing grade on their HIPAA security. When I saw all the checks in the boxes I realized that while checklists are great (and I encourage my team to help them remember to do tasks), that checklists are only as good as the planning and strategy used to put them together.
While politicians and government officials may very well be concerned with hospital security and may have had expert contractors to help devise HIPAA legislation, the problem remains that they do not intimately know your hospital’s issues. While some may understand healthcare to one extent or another, they most certainly do NOT understand rural healthcare (because anyone with expertise in rural healthcare or rural hospitals is in fact still working in their rural health systems with aims to make care in their areas assessable to their communities).
When I concluded my hour long talk to IT security officers that represented hospitals, clinics and university systems across the region, there was definitely concern looming in the room. “What can we do with all of these audits and assessments we’ve done?” was the big question murmuring through the lecture hall after I had finished presenting.
There is no quick fix easy answer to hospital security. The big take home that I’ve learned over years of EHR implementations, security briefings, ransomware mitigation and forensic work have brought me to the conclusion that context is everything in security.
If your security team doesn’t understand how your hospital operates, if they are clueless what are your big initiatives or who are your VIPs, if they don’t observe how your users are moving data around, plugging into the world wide web or what engages them to improve their patient data safety, they are completely missing the mark.
I’ve sat through countless security HIPAA-HITECH audits from our company (and those of vendors) and have come to the cold conclusion is that not any single HIPAA audit got security right. Some focused on security theater—making folks feel like they’re safe by protecting their physical buildings. If you’re spending a big chunk of your IT budget on activities aimed at testing your staff on whether they will give strangers access to your physical building, when was the last time you heard of a big data breach by someone physically getting access to your computers?
Companies are selling hospitals—but especially rural hospitals and healthcare systems—security packages that don’t make much sense strategically. With slimming budgets and less funding opportunities in rural health, why dedicate your limited budget to risks that are the least likely to cause problems?
Are you sure your IT security is keeping your rural hospital secure? Are you spending your IT Security budget strategically on areas that will actually prevent ransomware attacks? Consider thinking outside of the box on your HIPAA security with a free ransomware vulnerability assessment.
