Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Risk Management

Healthcare Industry Can Go Beyond Compliance to Achieve Better Security

The Healthcare Industry Has a complex Relationship with Security, Compliance, and Legislation

The Healthcare Industry Has a complex Relationship with Security, Compliance, and Legislation

Most larger organizations are at a maturation point where their security has moved beyond industry compliance requirements and can focus on measures that proactively enhance security.

Many vendors have discussed historic challenges of companies doing “just good enough” security in the name of compliance and how today, such an approach is no longer sufficient. As unprecedented security challenges continue to emerge across the enterprise, today’s organizations and bodies defining industry standards for security have begun to recognize that even progressive and compliant security programs fail to prevent certain types of incidents.

In response, many security compliance requirements have since been amended in order to help organizations better protect themselves. The financial industry’s Gramm-Leach-Bliley Act and PCI Security Standards Council are great examples and continue to encourage the adoption of similar programs across many industries.

As the healthcare industry also moves to create similar standards, it is crucial for healthcare institutions to recognize their industry’s inherent susceptibility to cyber threats and that standards and regulations will, by their nature, always be reactive. At Flashpoint, our customers include some of the most progressive healthcare and health insurance institutions as far as security and intelligence programs go. Observing our customers’ approach to emerging cyber threats has helped me recognize that the most secure organizations are those who promote and integrate security and intelligence comprehensively across all business functions — even if current compliance requirements do not mandate it.

Healthcare Information SecurityAs I outline below, highlighting the healthcare industry’s complex relationship with security, compliance, and legislation can help more organizations recognize that while compliance may be integral to achieving security, compliant does not always equal secure.

Security vulnerabilities and the Electronic Medical Records (EMR) mandate

Recent media attention surrounding large-scale cyber attacks and data breaches in healthcare has encouraged many to take a closer look at the industry’s susceptibility to security issues. Many of the factors contributing to this susceptibility — including poor password hygiene, legacy or unpatched systems, and lax user-access controls — do indeed exist across all industries. However, others are unique to healthcare — including some that developed in part as externalities of recent legislation and outdated compliance requirements.

In particular, the healthcare industry’s rushed adoption of Electronic Medical Records (EMRs) is one such factor. When the American Recovery and Reinvestment Act (ARRA) — also known as the federal stimulus package — was passed in 2009 as a means of facilitating economic growth and technological advancement, it mandated that all healthcare institutions in the U.S. demonstrate use of EMR systems by 2014. Subsidies and incentives were provided to those compliant with the deadline, but steep penalties were imposed upon those who were not.

Advertisement. Scroll to continue reading.

While ARRA ultimately increased the number of institutions using EMR technology and helped spur the creation of a highly-competitive EMR market worth an estimated $26.5 billion, it consequently helped contribute to many of the security vulnerabilities the healthcare industry faces. As a result, the mandate pressured many institutions to rush into adopting the technology in order to meet compliance, despite the fact that many lacked sufficient time, resources, and expertise to implement and maintain EMR systems securely.

Unfortunately, the increase in the number of institutions using EMR technologies continues to encourage cybercriminals to target not only the healthcare industry but also to develop new and advanced ways of doing so. Specifically, the frequency of attacks targeting healthcare with ransomware — a type of malware that can prevent institutions from accessing critical systems and digital infrastructure (such as EMRs) until a ransom is paid — has rapidly increased over the last several years since the industry’s adoption of EMR systems.

Outdated compliance requirements

HIPAA remains the only security compliance requirement not only for EMR systems under ARRA, but for the healthcare industry as a whole. Although HIPAA’s Security Rule was created specifically to ensure the security of electronic personal health information (ePHI), the rule has not been amended since its creation in 2003. As such, it fails to address many of the security vulnerabilities inherent to newer, more complex technologies — such as many of today’s cloud-based EMR systems.

Above all else, HIPAA’s most substantial flaw is that it does not require healthcare institutions to employ encryption.  As a result, many institutions continue to store ePHI in plaintext, which renders the data far more vulnerable to abuse in the event of a compromise. While more healthcare institutions are beginning to recognize encryption as a necessity, many may believe that as long as they remain compliant with HIPAA, they are secure.

Looking ahead to 2017

The relative insecurity of the U.S. h
ealthcare system epitomizes the reasoning behind why compliance regulations need to remain current and comprehensive in order to promote security awareness and help organizations better protect themselves. In this case, legislation has further complicated the issue by possibly lulling organizations into a false sense of security via compliance.

Given the bipartisan pressure on President-elect Trump to reform the U.S. healthcare system, legislators and decision-makers alike should consider the integral — yet often overlooked — role of security. While policies such as the HIPAA Security Rule have laid the foundation by encouraging healthcare institutions to consider security more seriously, the consequences of recent large-scale cyber attacks and data breaches suggest that such policies are not enough. Regardless of whether compliance requirements are amended to reflect the healthcare industry’s complex security challenges, it is crucial for organizations to prioritize a more comprehensive, integrated approach to security and intelligence across business functions.

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybersecurity Funding

2022 Cybersecurity Year in Review: Top news headlines and trends that impacted the security ecosystem

Endpoint Security

Today, on January 10, 2023, Windows 7 Extended Security Updates (ESU) and Windows 8.1 have reached their end of support dates.

Email Security

Many Fortune 500, FTSE 100 and ASX 100 companies have failed to properly implement the DMARC standard, exposing their customers and partners to phishing...

Artificial Intelligence

Two of humanity’s greatest drivers, greed and curiosity, will push AI development forward. Our only hope is that we can control it.

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...