- The HIPAA Security Rule created a national set of security standards designed to protect certain health information, either held or transferred in electronic form. However, technology has continued to evolve, and one healthcare security expert claims that a complete reboot of the Security Rule might be necessary to ensure the protection of sensitive healthcare data.
CynergisTek, Inc. co-founder and CEO Mac McMillan spoke with HealthITSecurity.com at HIMSS last week about the Security Rule, recent data breaches, and what healthcare organizations need to be prepared for in 2015.
McMillan, who is also the Chair of the HIMSS Privacy & Security Policy Task Force, said that one of the big issues currently is vendor security management, and firms ensuring they have a strong grip on their vendors. It is also important for facilities to ensure that they have a handle on mobile devices, as well as the proliferation of devices between mobile, wearables, and other new technologies.
“If you’re a CIO today, you’ve got stuff coming to you from every direction,” McMillan said. “Everybody’s got a gadget, everybody has something they want to put on the network, and literally everything they have goes on the network or communicates with the network. And security and privacy are not always first and foremost in the developer’s mind when they’re developing the next greatest thing for some clinical purpose.”
Because of that, CIOs need to ensure that they implement things in a smart way, and stay ahead of the latest trends or they will be playing catch up instead.
Healthcare security, data breach prevention measures
Encrypting mobile media and mobile devices is also becoming more common, which McMillan says is definitely progress.
“More people are figuring out that if they’re going to let data go out there, they need to do a better job protecting that information,” he said.
More covered entities are also conducting risk assessments and takin the time to understand where their risk actually lies, McMillan added, which is a positive thing because “knowledge goes a long way.”
“We’re seeing more and more people begin to test their environments, which is also good,” McMillan said. “That means actually performing technical testing of their controls in the environment.”
Moreover, outsourcing security is also becoming more common. Facilities are becoming more aware of what privacy and security measures they’re capable of doing well, and also which measures they’re not capable of doing well, he said. Healthcare organization leaders realize that potentially solving certain security problems is not something they can always do on their own.
The push toward interoperability
There has been a large push recently toward interoperability, and the Office of the National Coordinator (ONC) also released an updated privacy and security guide on how covered entities can properly integrate the right privacy and security measures.
In general, McMillan said that he does not believe that security is an impediment for covered entities when it comes to information sharing. However, he added that it could be an issue in certain cases. For example, if a facility does not feel that another organization has security at a level that is equal to its own, then it might be reticent about sharing the data.
“In most cases, they have no clue what the other guy has with respect to security,” McMillan said. “Part of the reason for that is that we don’t have a common standard for what security means.”
Calling back to when he worked in various defense agencies, McMillan explained that the Department of Defense found itself in a similar situation in terms of sharing information. Different agencies were starting to connect together, and it was difficult to pinpoint what the security was like at another agency.
One of the things that had to happen was create “the definition of a trusted environment,” he said, meaning there was a certain level of security that everyone had to be able to demonstrate. That way, organizations knew that there were certain things other agencies had to do because it was the same things they had to undertake.
“In healthcare today, we don’t have that,” McMillan said. “There’s nothing in healthcare that says you have to maintain your environment at the same level of security controls respect that another facility uses to maintain theirs.”
Part of the interoperability program that the ONC should be promoting is addressing the fundamental baseline for security. That baseline then says that in order for an organization to have a truly interoperable system and connect to others in a trusted relationship, certain security features must be part of its architecture. However, McMillan said that trust is key before a facility feels good about sharing its information.
Key takeaways from large scale health data breaches
After the Anthem data breach and Premera data breach, healthcare privacy measures and the data breach notification process have been pushed into the public’s eye. McMillan was quick to say that neither organization is a “poster child for what somebody did wrong,” and that the issue wasn’t that they didn’t necessarily have adequate security. Rather, what happened to Anthem and Premera could have happened to anybody, especially in the healthcare industry.
“We need to do a better job of being able to detect and react to incidents,” McMillan said. “People should take away that even with all the money in the world, even large organizations that probably have large security budgets or spend a lot of money on security and are trying to do it right [can have problems].”
Moreover, the right cyber attacker who has the necessary knowledge, motivation, and right amount of time will succeed nine out of 10 times, he said, adding that that’s what happened to Anthem and Premera. Healthcare needs to do a better job of detecting what’s going on in the environment, and do a better job of monitoring what’s going on, he said.
“The bottom line that those incidents taught us is that we need to step our game up with respect to how we address security,” McMillan said. “Just approaching security from a HIPAA compliance perspective is no longer effective. It never was to begin with, but it’s even less today.”
McMillan added that the HIPAA Security Rule has not changed since its final version was produced in 2003. However, security frameworks, such as the one at the National Institute of Standards and Technology (NIST), continue to go through revisions.
“We’re behind,” McMillan said. “Basically what we really need to do is scrap the HIPAA Security Rule and just let organizations select the framework that they want to work with, whether it’s NIST, whether it’s ISO, but a legitimate framework. From there, they build their program and we hold them accountable for protecting the data.”
McMillan added that NIST has come out with guidelines for mobile devices and cloud security, among others. Neither of those topics were addressed in the HIPAA Security Rule, he said.
“The problem is HIPAA is antiquated,” McMillan said. “It’s behind the times and we need to take a new approach.”