Security a business priority for providers, not just a compliance concern
For nearly a dozen years, the healthcare industry has equated HIPAA compliance with security readiness.
This year, that linkage has been shown to be false. The risk of ransomware has brought that message home, says Brian Selfridge, a partner at Meditology Services, an IT risk management and health IT consulting firm.
Since enforcement of HIPAA privacy and security rules began last decade, providers’ focus has been on being compliant with the regulations, he says. But those regulations didn’t anticipate ransomware and many other threats to protected health information that providers confront today.
As a result, providers would be well-served to stop thinking HIPAA is a check-the-box exercise, Selfridge contends.
Hackers know they can make money with medical information by stealing patient identity data and reselling it on the black market. “You can’t look at this as a compliance program but as a business problem and a patient safety and effectiveness of care problem,” he adds.
Providers must plan how to better protect patient information if there is a breach—just sending out patient notification letters and offering credit/identity protection services is insufficient.
One new trend is that criminals are looking for narcotics and identifying patients that have lots of medications, then getting the prescriptions off provider information systems and selling them on the black market. Healthcare systems may not even know the prescriptions were hijacked and are being re-used, Selfridge warns.
Medical devices represent another serious safety threat to patients that the HIPAA rules did not anticipate. While providers are worrying about regulatory compliance, the threat is growing that hackers might be locking medical devices with ransomware inside the hospital or a patient’s home or body, creating a large patient safety concern, Selfridge believes.
On the one hand, providers understand the cyber treat today more than ever before, he adds. “Healthcare executives and boards get it, but they have to get the work done with financial constraints. The struggle is to reach the next step of cyber security without breaking the budget,” Selfridge says.
Many providers hope to increase security by moving from legacy information systems to cloud-based hosting of protected health information, which can usher in a new round of safety and security issues. Some providers have a perception that they buy a cloud and the vendor operates it, but the vendor might only be responsible for certain tasks such as a secure data center, handling of the network, firewalls and disaster recovery.
Consequently, providers should not assume a vendor will handle all aspects of the cloud platform and develop contract language that clearly specifies obligations by both provider and vendor, while ensuring the provider remains in control of its cloud.
These provisions should include the right to get data back if not satisfied with the cloud, ensuring that the organization’s privacy principles are being applied by the vendor, making clear which entity updates information and patches systems, knowing which subcontractors of a vendor are responsible for which types of data, and establishing clear vendor service level expectations in the event of data breach.
If a cloud is breached, however, everyone is responsible, Selfridge cautions. “You still have the blowback if a cloud vendor has a breach. Handing everything over to the vendor and saying, ‘this is yours,’ is a short-sighted perspective.”
More information is available in a white paper from Meditology.