A few weeks ago, Anthem agreed to a record $16 million HIPPA settlement with federal regulators to close the chapter on a data breach that exposed data on nearly 79 million individuals in 2015. This payment is in addition to the $115 million Anthem shelled out as part of a class-action lawsuit over the same breach in 2017. This latest settlement revealed new details about the breach, including the fact that Anthem was audited and certified under the HITRUST Common Security Framework (CSF) just five months before hackers were able to infiltrate its computer systems. This raises questions regarding the effectiveness of compliance audits.
Regulations such as the Health Insurance Portability and Accountability Act (HIPAA), the Health Information Technology for Economic and Clinical Health (HITECH) Act, and the HITRUST CSF as part of HIPPA assessments establish a much higher standard of scrutiny for privacy and disclosure requirements, compared to many other verticals. This is justified, since the industry maintains a vast amount of highly sensitive data on individuals, which is extremely coveted by cyber criminals. Healthcare records are a hot commodity on the Dark Web, fetching much higher selling prices than credit cards.
HITRUST CSF has become the most widely-adopted security framework in the U.S. healthcare industry. Like the NIST Cybersecurity Framework, it integrates relevant regulations (e.g., HIPAA) and standards (NIST 800-53, ISO 27001, PCI DSS) into a single overarching security framework. So what benefits does HITRUST CSF offer healthcare organizations?
Security-minded, mature healthcare providers typically already have a solid security program in place that incorporates many of the standards, guidelines, and best practices referenced in the framework. While HITRUST CSF doesn’t necessarily improve cyber resilience for these types of organizations, it does provide a common nomenclature and methodology to help less advanced providers assess their level of security preparedness and benchmark their programs.
Compliant Doesn’t Equal Security
The Anthem breach and thousands of others are proof that regulatory compliance – and its checkbox approach to security – doesn’t translate to greater security. While many experts agree that compliance with security frameworks has value when it comes to developing proper policies for certification, organizations need to be aware that it does not provide immunity from breaches. HITRUST CSF and other guidelines help reduce risk but cannot eliminate all cyber threats and often give organizations a false sense of security.
Ultimately, the mindset of healthcare organizations needs to change if they want to prevent data breaches and ensure that protected health information (PHI) is properly protected. Attackers have learned to side step sophisticated security mechanisms using phishing attacks and social engineering techniques to compromise user credentials and walk in through the front door. Even adhering to HIPAA rules or HITRUST CSF cannot prevent hackers from gaining access to PHI under these conditions.
The HITRUST CSF, for instance, requires that organizations implement several administrative safeguards, which include logging access to PHI and routinely checking these access logs. However, if hackers camouflage their attacks by leveraging compromised credentials, even a high-level review of these logs would not immediately reveal any abnormal behavior needed to stop the intrusion in its tracks.
As a result, healthcare organizations should consider moving towards a “never trust, always verify” security model. This ‘Zero Trust Privilege’ concept requires granting least privilege access based on verifying who is requesting access, the context of the request, and the risk of the access environment. By implementing least privilege access, organizations can minimize their attack surface, improve audit and compliance visibility, and reduce risk – while lowering security complexity and costs.
Healthcare organizations must recognize that HIPAA and HITRUST CSF compliance does not guarantee their systems are adequately protected from threats. These guidelines represent a minimum barrier to entry for attackers. Security, as has been stated many times before, is a journey which requires continuous monitoring and robust controls that must be adapted to new threats, and not an annual checkbox exercise.