If your compliance program is based solely on privacy, your program is severely lacking.

Tod Ferran, CISSP, QSA
By: Tod Ferran
Who’s to blame for healthcare’s security disaster? The fact is, most healthcare entities know nothing about the technical aspects that make up the HIPAA Security Rule. Do you know how to correctly create a PHI flow diagram? Scan for rogue wireless access points? Set up a firewall? Remediate the results of a vulnerability scan? Enable a VPN tunnel for secured 2-factor remote access?

Don’t feel bad. Most people in healthcare (even IT gurus) struggle to understand security. And therein lies the problem.

Hackers like to take advantage of the simple fact that many healthcare entities aren’t security gurus. Events like June’s hack attack against the Montana Department of Public Health and Human Services’ servers (1.3 million affected), and September’s email breach at UC Davis Health System (1,326 affected) will only continue to increase, unless the Security Rule is strictly adhered to.

SEE ALSO: Current Hacking Trends: Remote Access

What you’re doing right

People in healthcare understand HIPAA privacy. The problem started in 2005 when the darned security rule ruined healthcare’s privacy rule mojo. The industry hasn’t recovered since.

Based on SecurityMetrics data, the average medical organization is only 57% compliant with the most basic and important security considerations. Organizations haven’t been able to grasp the fact that the security rule is a vastly different regulation virtually unfulfilled by the privacy rule.

The scapegoat

Not a lot of documentation or training exists to help people get through the nitty-gritty security aspects of HIPAA. The HHS Security Risk Assessment Tool (SRA tool, or sRAT) is a step in the right direction, but even with the ‘Things to Consider’, ‘Threats and Vulnerabilities’ and ‘Examples of Safeguards’ sections, most health care professionals are left scratching their heads.

Most third parties don’t help the situation either. Lawyers, IT service providers, and CPA firms may tout their knowledge of the HIPAA security rule, but most have no idea how to actually architect and safeguard healthcare computer systems to deflect a man-in-the-middle attack on an EMR system (and the 74 other technical security requirements required of your organization).

SEE ALSO: Your HIPAA Expert May Not Know Enough About Security

Turn your security around

According to data from the HHS Wall of Shame, 4.5 breaches per week were reported in 2013. I’m ready for that to change. Let me explain three things that can help you plant your feet on the road to HIPAA compliance.

1) Update…as often as possible

When was the last time you updated your operating systems? Please don’t tell me you’re still using Windows XP… What about the last time you updated your point of sale software? Your Internet browser? Your apps? Your mobile devices?

“Updates? Ugg! I don’t have time for that right now.” Did you know security is the number one reason to continue updating to the latest version of any system software? Criminals search for new weaknesses every day, and if systems aren’t updated regularly, they may easily be able to find holes in your system.

Once you discover how many devices need to be updated, I recommend updating overnight, or when your system has the least amount of traffic.

2) Vulnerability scans: Not just for retailers

Did you know there’s an easy way to identify and predict how hackers might get into your organization? Fortunately, the process isn’t as complicated as you may think.

Vulnerability scans are automated, affordable, high-level tests that identify network security weaknesses for you. After a scan completes, it is crucial to fix any located vulnerabilities on a prioritized basis. Continue running scans until the scan returns clean, and afterwards on a quarterly schedule.

Remember, not all scanning vendors are created equal. Shop around for a scanning vendor who at least has their ASV accreditation and regularly updates their scanning engines.

3) Face it. You need help with your risk analysis

A HIPAA risk analysis is an assessment of the potential vulnerabilities, threats, and possible risk to the confidentiality, integrity, and availability of ePHI held by the covered entity. It’ll help you know where your patient data is stored, how it may be vulnerable, and how to adequately protect it.

SEE ALSO: 5 Steps to Making a Risk Assessment

But…it’s not a checklist. It must be comprehensive. It should be reviewed and updated annually, and when there are any significant environment changes.
A risk analysis is definitely not a one-and-done activity.
Tweet: A #HIPAA risk analysis is definitely not a one-and-done activity. http://bit.ly/1yVLP1a Tweet
SEE ALSO: What are Addressable HIPAA Requirements?

Organizations may try their own risk analysis, but it’s difficult to be thorough without a security background. To be systematic and prioritized, enlist the help of a security-trained pro.


Plant your feet on the road to HIPAA compliance


Please educate yourself and your organization on the technology perils of our day. The patient data you have is extremely valuable, and part of caring for patients includes protecting the information they entrust to us.

These three activities will not make your organization compliant or prevent every attack, but they are great first steps that plant your organization’s feet firmly on the road to HIPAA compliance.

Tod Ferran (CISSP, QSA) is a Mensa aficionado, Cancun expert, and Security Analyst for SecurityMetrics with over 25 years of IT security experience. In addition to his many speaking engagements and webinars, he provides security consulting, risk analysis assistance, risk management plan support, and performs security, HIPAA, and PCI compliance audits. Connect with him for recommendations on excellent places to stay, activities, and restaurants in Cancun, or check out his other blog posts here.

Monday, February 2, 2015