Connect with us

Hi, what are you looking for?



Healthcare Security: Where’s the Hype for HIPAA?

Every Time Technology is Used for the Greater Good, We Must Remember There is Also a Group of Malicious Opportunists Waiting to Pounce… 

Every Time Technology is Used for the Greater Good, We Must Remember There is Also a Group of Malicious Opportunists Waiting to Pounce… 

I’ve written a good deal about hype in the past year or so, and how I believe the security industry does itself a disservice by continually playing up issues to serve its own short-sighted purposes. However, it’s also been my experience that, for one reason or another, there are segments of the security market that aren’t discussed enough. One of those segments is healthcare. While retail breaches continue to dominate headlines (most notably Target), healthcare security issues continue to fly under the radar.

During the past several months, it’s been hard to escape media coverage and updates about Payment Card Industry (PCI) compliance and how retail companies such as Neiman Marcus failed to meet the standards outlined by their governing bodies. What most people probably don’t know is that PCI as an industry standard doesn’t come close to containing the teeth of the compliance standards facing the healthcare industry, most notably HIPAA (Health Insurance Portability and Accountability Act). While security is serious business in every industry, and the failure to protect customer data can always have severe consequences, no security failures are as particularly devastating and far-reaching as they are in healthcare.


On the surface it may seem as though credit card information would be the most valuable asset for a would-be hacker, but in reality, healthcare records are the Holy Grail. I recently read that credit card information is selling for approximately one dollar per account on the black market, whereas a healthcare record goes for upwards of $50. Activity from hackers backs up this assertion as well. As with any business or enterprise, if you want the real story, follow the money. According to the Ponemon Institute’s Fourth Annual Benchmark Study on Patient Privacy and Data Security:

• 90 percent of healthcare organizations have reported a data breach in the past two years.

• Attacks on healthcare systems have increased 100 percent since the first study in 2010.

• The annual cost of healthcare data breaches has been estimated as high as $5.6 billion.

Advertisement. Scroll to continue reading.

• 69 percent of study respondents report that the Affordable Care Act increases risk to patient privacy and security.

Healthcare providers are faced with a set of unique challenges that are specific to their industry. They are charged with protecting patient privacy and sensitive data, while also increasing access to healthcare services. At the same time, fines related to HIPAA are on the rise, and the US Department of Health and Human Services Office for Civil Rights (OCR) is aggressively and proactively auditing healthcare organizations.

For healthcare organizations, it is critical to avoid HIPAA fines and protect funding resulting from the Health Information Technology for Economic and Clinical Health (HITECH) Act. According to Meaningful Use regulations, healthcare organizations must meet specific criteria to receive and retain incentive payments offered through the HITECH program.

So, the question becomes what should healthcare providers do to shore up their security and protect themselves from fines and damage to brand reputation? I would suggest enhancing standard periodic risk assessments with a process that produces actionable information that IT operations can use to help identify potential threats to electronic protected health information (ePHI). With a plan in place, the security professionals within a healthcare facility or network can better manage potential risks to the organization, demonstrate their readiness to patch any critical vulnerabilities and avoid the potential for large fines and penalties.

Breakthroughs in healthcare technology allow doctors from around the globe to consult in real-time, ensuring that patients are receiving the best care possible. A good example of this is the ability for a doctor at a small, remote hospital to work in tandem with a specialist from a large-market hospital like Massachusetts General to conduct a procedure that would be unfathomable even a few years ago. These innovations are improving care and saving lives.

However, once something is on a network and connected to the Internet, the threat of being hacked becomes a real possibility. Every time technology is used for the greater good, we must remember there is also a group of malicious opportunists waiting to pounce. The oversight for the protection of healthcare information is only getting tighter, and it is incumbent upon the security teams to ensure healthcare professionals have all the tools necessary to improve patient outcomes, while we worry about keeping the bad guys away. Maybe this is one instance where a little hype would do us some good.

Related Reading: The Game-Changing Legislation That No One is Talking About

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Artificial Intelligence

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.


The three primary drivers for cyber regulations are voter privacy, the economy, and national security – with the complication that the first is often...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...


Government agencies in the United States have made progress in the implementation of the DMARC standard in response to a Department of Homeland Security...

Application Security

Many developers and security people admit to having experienced a breach effected through compromised API credentials.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...