The Healthcare Industry Has a complex Relationship with Security, Compliance, and Legislation
Most larger organizations are at a maturation point where their security has moved beyond industry compliance requirements and can focus on measures that proactively enhance security.
Many vendors have discussed historic challenges of companies doing “just good enough” security in the name of compliance and how today, such an approach is no longer sufficient. As unprecedented security challenges continue to emerge across the enterprise, today’s organizations and bodies defining industry standards for security have begun to recognize that even progressive and compliant security programs fail to prevent certain types of incidents.
In response, many security compliance requirements have since been amended in order to help organizations better protect themselves. The financial industry’s Gramm-Leach-Bliley Act and PCI Security Standards Council are great examples and continue to encourage the adoption of similar programs across many industries.
As the healthcare industry also moves to create similar standards, it is crucial for healthcare institutions to recognize their industry’s inherent susceptibility to cyber threats and that standards and regulations will, by their nature, always be reactive. At Flashpoint, our customers include some of the most progressive healthcare and health insurance institutions as far as security and intelligence programs go. Observing our customers’ approach to emerging cyber threats has helped me recognize that the most secure organizations are those who promote and integrate security and intelligence comprehensively across all business functions -- even if current compliance requirements do not mandate it.
As I outline below, highlighting the healthcare industry’s complex relationship with security, compliance, and legislation can help more organizations recognize that while compliance may be integral to achieving security, compliant does not always equal secure.
Security vulnerabilities and the Electronic Medical Records (EMR) mandate
Recent media attention surrounding large-scale cyber attacks and data breaches in healthcare has encouraged many to take a closer look at the industry’s susceptibility to security issues. Many of the factors contributing to this susceptibility -- including poor password hygiene, legacy or unpatched systems, and lax user-access controls -- do indeed exist across all industries. However, others are unique to healthcare -- including some that developed in part as externalities of recent legislation and outdated compliance requirements.
In particular, the healthcare industry’s rushed adoption of Electronic Medical Records (EMRs) is one such factor. When the American Recovery and Reinvestment Act (ARRA) -- also known as the federal stimulus package -- was passed in 2009 as a means of facilitating economic growth and technological advancement, it mandated that all healthcare institutions in the U.S. demonstrate use of EMR systems by 2014. Subsidies and incentives were provided to those compliant with the deadline, but steep penalties were imposed upon those who were not.
While ARRA ultimately increased the number of institutions using EMR technology and helped spur the creation of a highly-competitive EMR market worth an estimated $26.5 billion, it consequently helped contribute to many of the security vulnerabilities the healthcare industry faces. As a result, the mandate pressured many institutions to rush into adopting the technology in order to meet compliance, despite the fact that many lacked sufficient time, resources, and expertise to implement and maintain EMR systems securely.
Unfortunately, the increase in the number of institutions using EMR technologies continues to encourage cybercriminals to target not only the healthcare industry but also to develop new and advanced ways of doing so. Specifically, the frequency of attacks targeting healthcare with ransomware -- a type of malware that can prevent institutions from accessing critical systems and digital infrastructure (such as EMRs) until a ransom is paid -- has rapidly increased over the last several years since the industry’s adoption of EMR systems.
Outdated compliance requirements
HIPAA remains the only security compliance requirement not only for EMR systems under ARRA, but for the healthcare industry as a whole. Although HIPAA’s Security Rule was created specifically to ensure the security of electronic personal health information (ePHI), the rule has not been amended since its creation in 2003. As such, it fails to address many of the security vulnerabilities inherent to newer, more complex technologies -- such as many of today’s cloud-based EMR systems.
Above all else, HIPAA’s most substantial flaw is that it does not require healthcare institutions to employ encryption. As a result, many institutions continue to store ePHI in plaintext, which renders the data far more vulnerable to abuse in the event of a compromise. While more healthcare institutions are beginning to recognize encryption as a necessity, many may believe that as long as they remain compliant with HIPAA, they are secure.
Looking ahead to 2017
The relative insecurity of the U.S. healthcare system epitomizes the reasoning behind why compliance regulations need to remain current and comprehensive in order to promote security awareness and help organizations better protect themselves. In this case, legislation has further complicated the issue by possibly lulling organizations into a false sense of security via compliance.
Given the bipartisan pressure on President-elect Trump to reform the U.S. healthcare system, legislators and decision-makers alike should consider the integral -- yet often overlooked -- role of security. While policies such as the HIPAA Security Rule have laid the foundation by encouraging healthcare institutions to consider security more seriously, the consequences of recent large-scale cyber attacks and data breaches suggest that such policies are not enough. Regardless of whether compliance requirements are amended to reflect the healthcare industry’s complex security challenges, it is crucial for organizations to prioritize a more comprehensive, integrated approach to security and intelligence across business functions.