Healthcare information security

Where Does HIPAA Not Go Far Enough With IT Security?

September 26, 2016 by Infosec

The entire goal of HIPAA (and the HITECH Act that followed it) is to protect PHI, or personal health information. This data should be confidential and safeguarded against access by unauthorized individuals or companies as well as those with more nefarious goals. Passed in 2003, HIPAA has done a great deal to help protect that information and foster at least some sense of security.

However, there are many out there who feel that while HIPAA and HITECH were good starts, they do not go nearly far enough. Even as far back as 2013, there were calls for strengthening the protections provided in several crucial areas. These areas include the following, which we’ll address in greater detail later:

  • HIPAA is more concerned with business errors than with actual hacking attempts.
  • Mobile device security is not addressed.
  • Data encryption is not mandatory (although encryption is not a universal solution).
  • HIPAA only applies to four entities.
  • Legislation does not adapt at the pace of technological evolution.
  • HIPAA does not mandate any sort of training to protect against phishing attacks or other hacking attempts.

Now, let’s address these individual shortcomings one at a time.

Not Focused on Hacking

When HIPAA was signed into law, hacking attempts against corporations were relatively few and far between. That’s not to say they were nonexistent, but they were very much rarer than they are today, particularly against health industry businesses.

In fact, a study conducted by the Ponemon Institute in 2015 found that criminal hacking attempts have increased by 125% since 2010, and are now the leading cause of data breaches for healthcare businesses.

In truth, only 9% of healthcare businesses have NOT experienced a data breach in the two years preceding the study (2013 and 2014), with 40% reporting at least five data breaches during that period. Moreover, medical identity theft almost doubled from 2009 to 2014, going from 1.4 million adults victimized in 2009 to 2.3 million in 2014.

When HIPAA was enacted, these attacks were far fewer, so the onus of the legislation is on how businesses share, use and access personal health information, with only nominal safeguards in place to protect against unauthorized access of those records when stored within a company’s computer network.

The Scourge of Mobile Devices

When HIPAA was introduced, smartphones were rare. Today, they’re ubiquitous. The issue here is that HIPAA doesn’t really do much to safeguard PHI stored on or shared from mobile devices, even though those devices now comprise a significant portion of the technology in place in everyday life.

The fact remains that mobile devices are very easy to lose, and are frequently stolen. You would assume that this would have been addressed when the final omnibus rule was rolled out, but it was not. There is currently no regulation on healthcare providers being able to remotely wipe PHI stored on compromised or stolen mobile devices, but they can be held accountable for the loss of that information.

For instance, Catholic Health Care Services of the Archdiocese of Philadelphia was just fined $650,000 in a settlement with the OCR due to the theft of a smartphone that contained the PHI for more than 400 residents at the facility’s nursing homes.

In a related incident, 2,500 people found their PHI compromised when a laptop and flash drive were stolen in Michigan from a long-term care ombudsman. Thankfully, the laptop data was at least encrypted.

This goes farther than the security of information stored on mobile devices themselves. There are also many gaps in addressing the security of the networks that are used to transfer PHI from a mobile device to another device, or from one device to a mobile device.

Of course, it can be taken deeper. Under HIPAA, audit trails must be maintained on what occurs at the general user-system level. However, there is no mention of things that occur on the operating system level. That applies to mobile devices, as well as laptops, desktops, servers and every other component of a healthcare business’ network.

Data Encryption – Not Mandatory, but Mandated Encryption Is Not a Cure-all

Data encryption is touted as being one of the single best ways to protect PHI, but not all information within a healthcare organization must be encrypted. Remember – HIPAA is really more about how that information is shared and used, with only nominal requirements for security and protection (yes, there is a security component to HIPAA, but it is not as robust as it should be).

With that being said, encryption is not the cure-all that proponents seem to think it is. Let’s take the massive Anthem mega-breach as an example. In this instance, the company technically did nothing wrong, other than an executive falling prey to a phishing attack.

The information stolen was taken without the need to break any encryption even if it had been in place, because it was accessed using an executive’s account and password.

If you’re surprised that the security rule does not mandate encryption, you’re not alone. However, the HHS has this to say about it:

“The final Security Rule made the use of encryption an addressable implementation specification. See 45 CFR § 164.312(a)(2)(iv) and (e)(2)(ii).

The encryption implementation specification is addressable, and must therefore be implemented if, after a risk assessment, the entity has determined that the specification is a reasonable and appropriate safeguard in its risk management of the confidentiality, integrity and availability of e-PHI.

If the entity decides that the addressable implementation specification is not reasonable and appropriate, it must document that determination and implement an equivalent alternative measure, presuming that the alternative is reasonable and appropriate.

If the standard can otherwise be met, the covered entity may choose to not implement the implementation specification or any equivalent alternative measure and document the rationale for this decision.”

Now, that might seem to let organizations off the hook, but this isn’t really the case. If the organization does not believe that encryption is appropriate and reasonable, then they must document in writing why that decision was made. The OCR will then review that decision during an audit. The OCR may agree with the organization, but they may not. If they don’t, then the organization will have to take steps to comply with the OCR’s recommendation.

With that being said, that does nothing to safeguard the information between the time that the company decides not to encrypt it and when the OCR performs its audit, or even when the organization complies should the OCR disagree with their decision and require them to encrypt that information.

Of course, as mentioned, encryption isn’t a cure-all. Determined hackers will eventually beat any system, whether by tricking employees with a phishing scam or in another way, and once they’ve gained the credentials necessary, no amount of encryption will prevent easy access.

HIPAA Doesn’t Apply to That Many Entities

You’d think that given the scope of the HIPAA, it would cover just about any organization or device that stored, transmitted or shared personal health information, but that’s far from the case. Of course, when HIPAA went into effect, it covered more entities than it does today. That’s due to the ever-evolving role of technology within our lives.

So, what entities does HIPAA cover? Really, there are only four, which include the following:

  • Healthcare providers (hospitals, doctors, clinics, etc.)
  • Healthcare clearinghouses (billing firms and the like)
  • Health plans (insurance companies, for instance)
  • Business associates of covered entities

There are also exceptions and exemptions for covered entities that do fall into those categories. For instance, if a provider does not transmit information from a list of types provided by HIPAA, then they aren’t’ covered. If an entity doesn’t fall into any of those categories, they’re not covered by HIPAA, even if they store, share or access personal health information.

For instance, individual health monitors like the Apple Watch and the Fitbit regularly transmit health information from the device to the app’s servers operating in the cloud. This information is not safeguarded or protected in any robust way. The same concept applies to devices like Internet-connected scales or Internet-connected blood pressure monitors. The Internet of Things also poses innumerable potential issues for the privacy and security of personal health information, but none of these are covered by HIPAA or HITECH.

Yet other uses of this information fall well outside the scope of the regulation. For instance, an employer might handle personal health information during a worker’s compensation claim. Similarly, they might handle such information during enrollment in a company-sponsored insurance program, and in many other instances.

HIPAA Is Outdated Already

The simple fact of the matter is that the world we live in today is not the same as it was when HIPAA was first enacted, or even when the final omnibus rule was rolled out. It is not the same as it was when HITECH was passed.

To be fair, all legislation eventually becomes outdated due to the evolution of society, technology and other factors. However, in the area of protecting PHI, it is absolutely crucial that legislation keep up with those changes. It has not. Many of the factors mentioned previously are actually symptoms of HIPAA not being in synch with today’s world and the technology that powers it, to say nothing of what might come to be in a few months or years.

No Mandatory Training

The incredible incidence of breaches with healthcare organizations today is frightening, and it should be. These are organizations entrusted with safeguarding some of the most personal and valuable information out there.

The results of the Ponemon Institute study mentioned previously should be truly eye-opening. More breaches today are caused by accident, by loss of a device, or by an employee being victimized by attackers than for any other reason.

It would seem to make sense then that the HIPAA would mandate some sort of employee training in order to identify phishing emails and phone calls, as well as other scams, in order to prevent these attacks from being successful. To be clear, a variety of potential threats exist in this area, including:

  • Employees and even executives falling for phishing emails
  • Employee mistakes
  • Credentials stolen through hacking attempts

In many of these cases, a criminal attack is predicated on the action or inaction of an employee within the organization. Sometimes, these actions are undetected, leaving the organization unaware that there is a sizeable chink in their armor and operating under the assumption that the attacker(s) gained access to their system through some other means.

However, because HIPAA does not require mandatory training for employees and executives on identifying phishing attacks, safeguarding system credentials, or any of the myriad of other ways hackers can utilize laxity or ignorance to their advantage, organizations remain at significant risk. Consumer PHI and financial information are both at risk as well.

In Conclusion

When everything is said and done, the HIPAA has shortcomings. There’s just no such thing as perfect legislation, and due to its very nature, it is outdated almost as soon as it becomes law. The best approach here is to abide by the letter of HIPAA and the HITECH Act, while ensuring that training and education are provided for employees and executives.

As criminal attacks become more and more commonplace, it becomes increasingly essential that every single individual within an organization be able to recognize the signs of phishing attempts, as well as follow best practices where data storage, access and transmission are concerned.

While the HIPAA will no doubt be updated at some point, the fact remains that organizations need to take action now. Ultimately, the safety and security of PHI is the responsibility of these organizations and their employers, and protecting that data is of paramount importance, not because of a law on the books, but because it is the right thing to do.


Posted: September 26, 2016
View Profile