Securing Health Data Means Going Well Beyond HIPAA
By Jon R. Anderson
August 21, 2017
Share this page:
A two-decade-old law designed to protect patients’ privacy may be preventing health care organizations from doing more to protect vulnerable health care data from theft or abuse.
The Health Insurance Portability and Accountability Act (HIPAA) established strict rules for how health data can be stored and shared. But in making health care providers vigilant about privacy protection, HIPAA may inadvertently distract providers from focusing on something just as important: overall information security.
“Unfortunately I think HIPAA has focused healthcare organizations too much on data privacy and not enough on data integrity, data loss, disrupted operations and patient safety. You can get your identity back at some point, but not your life,” warns Denise Anderson, president of the National Health Information Sharing and Analysis Center (NH-ISAC). “Many of the attacks we are seeing, such as WannaCry, are disruptive attacks and are not data theft attacks. Organizations should be driven to focus on enterprise risk management and it should come from the Board and CEO level on down.”
“Cybersecurity in Health Care crosses a wide spectrum of issues,” adds Sallie Sweeney, principal cyber solutions architect in the Health and Civilian Solutions Division of systems integrator General Dynamics Information Technology (GDIT). “It’s not just protecting patient data. It includes protecting their financial data and making sure the medical equipment works the way it’s supposed to, when it’s supposed to, without potential for error. Think about the consequences of a Denial of Service attack aimed at the systems monitoring patient vital signs in the ICU. You have to look at the whole picture.”
Many public health agencies and smaller businesses are under-resourced or under-skilled in cyber defense, leaving them reliant on products and service solutions they may not fully understand themselves.
NH-ISAC members have access to support and services, such as Cyber-Fit, a non-profit set of services ranging from simple information services to benchmarking assessments of organizations’ cyber health and security posture; shared risk assessments; and cyber services, including penetration testing, vulnerability management and incident response.
“We have to build alliances of threat-sharing capabilities,” Amato says. “The speed, ferocity and depth of attack cannot be dealt with by individual agencies alone.”
Indeed, improved information sharing of threats, weakness and mitigation is one of the key recommendations of the June 2017 Health Care Industry Cybersecurity Task Force.
But getting companies to share threat data is a challenge. Built-in financial incentives drive some firms to minimize publicity and the potential risk it might pose to their businesses. But Anderson says she can see progress.
“I think the public and private sector came together well during the WannaCry incident,” Amato says. Though gaps clearly still exist, the swift response was encouraging.
Anderson’s NH-ISAC could play a key role in improving that response further and narrowing the gaps. NH-ISAC is a non-profit, member-driven organization linking private and public hospitals, providers, health insurance firms, pharmaceutical and biotech manufacturers, laboratories, medical device manufacturers, medical schools and others.
The group is one of 21 non-profit information sharing centers designed to help protect specific industries against cyber threats.
“I think within the NH-ISAC the membership did a phenomenal job of sharing indicators, snort signatures, hashes, mitigation strategies, malware analysis, patching issues and other best practice information. We tried as well to get the information out broadly beyond our membership,” she says. “NH-ISAC is a stellar example of how a community can pull together during an incident to help each other out.”
What HIPAA’s Security Rule Requires
The Office for the National Coordinator for Health Information Technology, which is responsible for overseeing the standards and rules applying to electronic health records writes in its Guide to Security of Electronic Health Information that the HIPAA Security Rule requires:
- Administrative actions, policies and procedures to prevent, detect, contain and correct security violations and ensure development, implementation and maintenance of security measures to protect electronic personal health information (ePHI).
- Physical measures, policies and procedures to protect electronic information systems and related buildings and equipment from natural and environmental hazards and unauthorized intrusion to protect and control access to ePHI.
- Reasonable and appropriate policies and procedures to comply with government requirements, including requirements for contracting with IT services providers, for maintaining data over time and for periodically reviewing policies and procedures.
She has a long way to go, however. While health care represents one of the largest sectors, the NH-ISAC has garnered only about 200 members since its founding in 2010. By contrast, the financial services ISAC has more 6,000 members.
Anderson joined the health ISAC from the finance sector ISAC in part to help drum up participation.
“One of the greatest challenges for the NH-ISAC and all ISACs is the lack of awareness amongst the critical infrastructure owners and operators – particularly the smaller owners and operators – that the ISACs exist and are a valuable tool,” Anderson told the House Energy and Commerce subcommittee on oversight and investigations in April. “Numerous incidents have shown that effective information sharing amongst robust trusted networks of members’ works in combatting cyber threats.” She suggests tax breaks for new members might help encourage wider participation.
“Protecting highly sensitive information – whether it’s patient records; financial data or sensitive government information, is something that has to be baked into every Information system,” said GDIT’s Sweeney. “Too often, we have a health care IT system where security is an afterthought – and trying to bolt on the kinds of protections we need becomes painful and expensive.” Sweeney, whose background includes securing large scale health care information databases and systems for government clients, concluded “Health care systems should be no less secure than financial systems in banks.”
Another new tool for promoting intelligence and threat sharing among health providers is the new Healthcare Cybersecurity and Communications Integration Center (HCCIC), launched by the HHS in May.
Modeled after the Department of Homeland Security’s National Cybersecurity and Communications Integration Center (NCCIC), the new HCCIC (pronounced “Aych-Kick) has been criticized as potentially duplicating the NCCIC and other organizations. But Anderson defends the new center as a valuable community tool for funneling information from the many fragmented parts of HHS into a central healthcare information security clearing house.
She concedes, however, that HCCIC will have to prove itself.
“One potential downside of pulling together HHS components into one floor could be, a slowdown of sharing from the private sector as ‘government’ is involved,” she wrote in a written follow up to questions posed by Rep. Tim Murphy (R-PA). “Another downside could be that even though all of the components are brought together, sharing could still take place in a fragmented, unproductive manner. There could be risk of inadvertent disclosure or risk of post-hoc regulatory penalties for a reported breach. Finally if efforts are not effectively differentiated from the NCCIC environment, duplication of effort and additional costs for staffing and resources can result.”
HCICC, in fact, played a key role in the government’s response to May’s WannaCry ransomware attacks. “HCCIC analysts provided early warning of the potential impact of the attack and HHS responded by putting the secretary’s operations center on alert,” testified Leo Scanlon, deputy chief information security officer at HHS before a House Energy and Commerce subcommittee June 8. “This was the first time that a cyber-attack was the focus of such a mobilization,” he said. HCCIC was able to provide “real-time cyber situation awareness, best practices guidance and coordination” with the NCCIC.
Anderson sees further upside potential. Based on her prior experience with the financial services ISAC, “the HCCIC should be successful if carried out as envisioned and if it is voluntary and non-regulatory in nature,” she told GovTechWorks. “This will result in improved dissemination within the sector. In addition, by bringing all of the components of HHS under one roof, increased situational awareness and cyber security efficiencies will result.”