Compliance is king, but that's not how it should be. Since the introduction of HIPAA in 1996, the healthcare field has centered data privacy and security efforts around compliance. If all the boxes were checked and organizations received a passing compliance report, everything was "all good."
The problem is, this led healthcare organizations to the false belief that as long as they're compliant with the HIPAA rules, their systems are secure. Unfortunately, as we generally know today, that's not true. This perspective can be problematic in any field, but it's especially damaging in the healthcare industry. Here's why:
The HIPAA Security Rule became mandatory for use by providers, payers, and clearinghouses in 2005, and even with the additional features of the HITECH Act and the more recent HIPAA Omnibus Rule, the actual HIPAA requirements around security have not changed much. For perspective, the first iPhone wasn't released until 2007. If companies are basing their security posture on a framework that's 13 years old, it shouldn't be a surprise that those organizations ... while compliant ... might not be secure.
"It's time now to really begin to pay more attention to our security programs holistically instead of being so compliance-focused," said Mark Johnson, shareholder at LBMC and leader of the healthcare security practice.
Mark Johnson
Johnson underscored the fact that companies shouldn't ignore compliance wholesale but should focus their efforts on the threats their organizations are truly facing -- not the checkboxes that come with a HIPAA audit. But, as many are already aware, this is certainly easier said than done for many organizations.
"Security is one of those things that you're never done with. It's not a project that you can say, 'Okay, we've reviewed our security plans and procedures, and we've implemented this technology, and we're good," noted Johnson.
Beyond that, it also can be difficult to get a board to see the importance of cybersecurity, because there's no clear ROI. However, according to Johnson, boards are asking the wrong questions if they're looking for the ROI on information security.
Johnson said he believes organizations need to stop asking, "What's the return on our investments in our cybersecurity efforts?" and start asking, "How much are we avoiding losing with our cybersecurity efforts?"
This is especially true as healthcare reimbursement systems trend toward outcome-based reimbursement, meaning quality of care, patient satisfaction, readmission rates, and other metrics are playing a larger role into how providers are reimbursed. In these circumstances, with healthcare's ever increasing reliance on technology to deliver, monitor, and document care, systems availability and data integrity are more important than ever to bottom lines in the healthcare ecosystem. Information security, in this context, goes well beyond the historical focus on maintaining confidentiality to protect patient privacy.
So, what can be done? How should a healthcare company responsibly handle information security?
It starts with a change in mindset.
Compliance can no longer be king. Instead, healthcare companies must adopt information security as their new ruling principle. As a benefit, aiming for security will likely lead to compliance, whereas the opposite is not always true, as discussed above.
Regardless of the level of sophistication, most (if not all) information security programs start at the same place - awareness. Organizations must know what their threats are. They must know where their assets are, and they must also know the vulnerabilities associated with those assets. After that, they should develop a plan to close those vulnerabilities and educate users on threats.
The problem is that developing and maintaining a robust information security program requires vigilance, and, per Johnson, "Most small and medium-sized organizations just don't have the resources to do that internally." Because of this, Johnson added, "We've seen an increase in people thinking about outsourcing cybersecurity now."
If considering this avenue, it's important to be aware that outsourcing IT is not the same as outsourcing cybersecurity. While an outsourced IT team (commonly referred to as an MSP - managed service provider) typically makes sure systems are running appropriately and that they're patched regularly, they might not be contracted ... or have the expertise and experience ... to monitor those systems or ensure their security in an ongoing manner.
If looking for that level of service, consider an MSSP (managed security services provider). These types of vendors focus on security and can provide a higher level of assurance for information security programs.
"Many organizations are doing better work around security now than they used to, but there's still a lot of room for improvement," said Johnson.
When looking for a place to start improving company-wide awareness of the security program, a risk assessment is the perfect starting point. It will help identify some of the most important items mentioned above (i.e. threats, assets and vulnerabilities). Beyond that, it will help in the development of an action plan to address those risks and better secure all data.
Effective risk assessments are based on strong methodologies, like NIST, FAIR, or OCTAVE. But, even with these methodologies, the process can be complicated. So, what answers should directors and owners of healthcare businesses be seeking related to their organization's security? Here are few suggestions:
- Who in the organization is actually tasked with making sure our systems are secure and that we are complying with the relevant regulatory requirements? If you can't name the individual or organization with this responsibility, that should be remedied. If it's not being actively managed, it's probably not being done.
- Do we know at all times where protected data "lives" in our organization? If there is any hesitation in answering this question, it probably points to a problem with asset management. The issue here is, if we don't know which systems hold our crown jewels, there is a chance some of those systems are going unprotected --and, by the way, it also means you are not compliant with HIPAA.
- Have we done a risk assessment in the last 12 months that considers the nature of our organization, the things that can go wrong, and what we are doing about those things? If you are only checking the box on the HIPAA security rule requirements, you probably haven't done a risk assessment that will be truly beneficial. For example, how are we prepared for something like ransomware? How are we protecting ourselves, and what will we do if we fall victim?
- How are we doing with keeping our systems and the applications that run on them updated with the latest patches to keep them from being successfully attacked? This is a critical function that often goes undone if no one is minding the store. A vulnerability management program is absolutely key to protecting your systems.
- How easy would it be for someone to break in to our systems from the outside or from the inside through social engineering activities like phishing? This is where it can pay to contract with an experienced company for a penetration test. It's much better and less expensive for you to proactively discover those holes in your defenses than learn about them after a data breach that potentially leads to investigations or fines and penalties.
- How are we monitoring our systems on a daily basis to ensure we catch bad actors before they can do serious damage? This is very hard for smaller organizations, as the bad guys never sleep. This is a perfect example of something many healthcare companies are choosing to outsource to firms who can provide around-the-clock vigilance.
This is, by no means, an exhaustive description of everything healthcare companies and practices need to consider about their security program. Other topics include policies, disaster recovery, incident response, awareness and training, along with numerous other important facets. However, seeking answers to the questions above is a fantastic starting place.
Then, the first step towards improvement must be a change in mindset. It's time for healthcare companies to aim for security and accomplish compliance along the way, instead of the other way around.
Mark Fulford, CISSP, CISA, CCSFP, HITRUST, is an LBMC shareholder in the Risk Services Division with nearly 25 years of experience in information technology, audit and security. LBMC Information Security's team includes a diverse group of experienced professionals that help healthcare companies protect their systems and meet compliance obligations. LBMC is also the creator of the BALLAST automated risk management application, used by hundreds of organizations to identify, track, and remediate security risks. For more information, email mfulford@lbmc.com or go online to lbmcinformationsecurity.com.
WEB LINKS ONLINE: