The US government says healthcare IT security needs some work. On June 2, a paper was published by the federal government called, “Report on Improving Cyber Security in the Healthcare Industry,” Ars Technica IT editor Sean Gallagher noted. The basic conclusion of the document was that the state of healthcare IT security in the US is concerning. Actually, the first page of the report’s Executive Summary contains a thermometer that suggests the state of data risk is red-hot, with the heading, “Healthcare Cyber Security is in Critical Condition.”

The commission, called the Healthcare Industry Cyber Security Task Force (and including industry officials from Kaiser Permanente, Merck, and other major industry names) advised the HHS and Congress to create programs with advanced application and equipment safety. The paper also suggests that steps should be taken to make sure that healthcare companies employ more security personnel. Additionally, it presents an advised protocol related to governance and a game plan to follow when a breach occurs that impacts protected health information.

Gallagher agrees with the report that the federal government should take action in some of the ways described. However, he adds that “government intervention is part of what got health organizations into this situation—by pushing them to rapidly adopt connected technologies without making security part of the process.”

Regardless who is to blame, the report could be considered a wake-up call in healthcare data, and that it’s not being properly protected in many settings.

3 reasons why HIPAA is not enough

HIT security story: Children’s Mercy Hospital

Making security your top priority

3 reasons why HIPAA is not enough

If we’re to go along with this notion that security of healthcare IT is not currently where it should be, it’s worth considering that part of the reason could be overemphasis on healthcare regulatory compliance.

Last March, risk management specialist Jonathan Litchman of The Providence Group pointed to ransomware attacks (e.g., Hollywood Presbyterian Medical Center) as an example of cyber security issues that are unassociated with the protection of ePHI (and which, hence, are neglected by the security rule).

Via HealthITSecurity, Litchman offered three basic reasons why the risk of getting hacked is not adequately addressed by the Health Insurance Portability and Accountability Act of 1996 (HIPAA):

This healthcare bill and its updates have been squarely centered on protecting ePHI. The systems that store or transfer that patient data are only part of the landscape, though. Simply using a set of rules, handed down from afar, to allow you to manage risk is insufficient when you think in terms of being proactive toward digital threats and creating full-bodied defenses and protective tactics. While it’s elementary that you need to concern yourself with the fundamentals of HIPAA, thinking purely in terms of compliance when you strategize security “creates an organizational governance structure that inhibits framing cyber risks as an organization-wide issue and impedes executive and board engagement,” says Litchman.

HIT security story: Children’s Mercy Hospital

The above information should establish that a healthcare company’s ability to protect itself in an increasingly complex threat landscape goes beyond a simple HIPAA checklist. Let’s look at how one healthcare provider is approaching the issue of cyber security beyond the ePHI concerns of the security rule.

Children’s Mercy Hospital (located in Kansas City, Missouri) has to somehow be able to perpetually monitor and filter the 180 million requests its infrastructure receives each month, along with managing outgoing data.

David Chou, the organization’s Vice President and Chief Information and Digital Officer, noted that he had decided to use an outside party for IT security, in the process effectively using a third-party entity to fill the role of a chief information security officer (CISO).

“We’re in the business of providing care. I don’t want to be in the business of enterprise security,” Chou said in January. “It’s too expensive to do ourselves, and we can’t staff the talent.”

A third-party company is constantly running vulnerability scans and otherwise checking any possible intrusions or weaknesses across applications, operating systems, devices, and networks. Essentially, what that company is doing is white-hat scanning, checking the system in a manner that emulates the behavior of a hacker.

Using a third-party provider to handle security, Children’s Mercy was able to stop attempted efforts at a breach from the Middle East, Asia, and Brazil. Chou said that prior to placing an external provider in charge of security, the hospital didn’t know how much they were getting targeted by malicious parties.

Children’s Mercy had a $60 million budget for IT last year, and Chou designated about 10% of it toward security – expecting to increase his spending in 2017.

“Security is top on my radar and should be the organization’s top priority and investment,” he said.

Making security your top priority

How might your healthcare company better emphasize security, and go beyond the parameters of HIPAA to better manage risk? That process should not just be an analysis of your own security but an exploration of how third-party providers might be able to help – especially those that go beyond HIPAA compliance to meet the strict standards of Statement on Standards for Attestation Engagements No. 16 (SSAE 16).