Healthcare is in serious security trouble if something isn’t done soon. 

Brand Barney, SecurityMetrics, CISSP, QSA
By: Brand Barney
Security Analyst
CISSP, QSA
When you think of the biggest threat to healthcare security, what do you picture? Do you picture hackers? Do you picture malware? Employees?

Yes, those are all important issues, but a common problem I’ve seen recently isn’t just the threat of data breaches, or even the lack of proper security. The biggest problem with healthcare data security and HIPAA is complacency.

SEE ALSO: A Snapshot of the 2017 SecurityMetrics Guide to HIPAA Compliance: The Status of Healthcare Security

When it comes to the security aspect of HIPAA, many healthcare organizations are complacent, thinking a data breach won’t happen. As a result, far too many organizations are losing data and they don’t even know it.
Here are some reasons why complacency in data security hurts your organization.

Your data can be stolen way too easily

healthcare securityPeople love the idea that stealing data is a really technical and complicated process, like an Oceans 11 movie or an episode of Mr. Robot. In reality, stealing data from some organizations is often embarrassingly easy.

Many organizations don’t realize how easy it is for someone to walk in, take something with valuable data on it, and walk out. Social engineers can easily install malware and steal data from healthcare systems due to inadequate employee training and security.

SEE ALSO: Physical Security: What You Aren’t Thinking About

Don’t believe me? Target’s breach was super technical when they got into the network, but how they got into the network was not technical at all.  In any breach, there are a series of items that companies overlooked and ultimately lead to breach(s). The same can be said for Target. Targets HVAC vendor had insecure passwords and remote access into Targets networks. Attackers obtained those weak passwords and essentially “walked” right into the network. That’s when the more complicated and technical attacks began.

Your IT security people will get frustrated

In most cases, your IT people do care about security. But if the rest of your organization doesn’t care, your security people are going to quickly get frustrated and then eventually stop caring.

Here’s an example: a service provider wants to have IT open up an insecure port/protocol so a doctor can gain access to the network from home. The IT people say no, and then the doctor goes to the higher up and complains. Most organizations wish to keep providers happy, so they make the IT people do it.

Security people can make money anywhere, but having a secure organization is all about culture. If the providers don’t care about security, IT people are often going to go somewhere else.

It won’t be a matter of if, but when you get breached

There’s a lot of talk about financial institutions as the top organizations getting breached. In reality, it’s healthcare. Personal information and healthcare records run for much more on the black market versus card data.

Nearly 90 percent of healthcare organizations have been breached in the past 2 years.  These breaches have exposed over 112 million records and cost the healthcare industry $5.6 billion annually. Most, if not all of these breaches could have been prevented if the organization had followed more secure practices.

Basically, if you don’t secure your data, you will get breached.

When you experience a data breach, you’re screwed

security complacencyMany organizations may think that dealing with a breach will be less damaging than having to deal with security. This is patently false. If you are breached no one can bail you out, and you haven’t and won’t be able to protect your patients. If data gets stolen, you’re screwed.

Not only are you putting your patients at risk, but also your reputation. Breached organizations often lose 40% of their clients.

Basically, a data breach will cost you a lot more than you think. There’s the cost of legal fees, HHS fines, and handling patient data loss. Also remember that while a credit card can be easily replaced, a social security number can’t. Essentially, if you’re handling patient data (and not just social security numbers), you have much more to lose.

SEE ALSO: How Much Does a Data Breach Cost Your Organization?

Why are we failing at security?

So why are we so bad at security? To put it simply, many higher ups don’t care. No one understands security and HIPAA, and because they don’t understand it, they push it to the side and hope it goes away or never causes any “real” issues. Because the top people are complacent about security, the rest of the organization generally follows suit.

It’s important for C-suites to be aware of their organization’s security needs and promote a culture of security and HIPAA compliance. They should know where their networks may be vulnerable and what is being done to address those vulnerabilities.

So what should we do?

You need to promote the culture of data security and HIPAA in your organization. Employees should be trained in security procedures and handling issues like social engineering. There should be security policies set in place and employees need to follow them.

We need to start treating health data like it’s as valuable as it really is, and we need to start this process today!

It’s also important to maintain your security and compliance. Just because you’re secure today, that doesn’t mean tomorrow will be the same. It’s like maintaining your body. While your body may be healthy today, if you take care of the essentials, you may not be healthy tomorrow.

Have a continuous cycle of security improvement. Here are a few tips to maintain security and HIPAA compliance:
  • Perform regular vulnerability scans: find any vulnerabilities before they are exploited
  • Review and update policies annually: things may change in your organization that require change to your security policies
  • Train employees quarterly, if not monthly: people learn best by repetition; consistent training helps employees keep security on the brain
  • Document everything: having all policies documented will help with training and keep everybody on the same page
Need help with HIPAA compliance? Talk to us!

Brand Barney (CISSP, HCISPP, QSA) is a Security Analyst at SecurityMetrics, has over 10 years of data security experience, and will totally geek out if you mention Doctor Who. Brand loves to play jazz piano and daydreams about being as great as Dave Brubeck or Thelonious Monk. Connect with him on Twitter or check out his other blog posts.