Guest post by Stephen Cobb, senior security researcher, ESET.
HIPAA’s privacy and security rules are often labeled as being burdensome and restrictive. The rules are increasingly criticized as ineffective and people wonder how an organization can be HIPAA compliant and still suffer a breach of protected health information.
A medical approach to answering that question might be to think about infection prevention and control. Infection control protocols exist to prevent the spread of infectious diseases. However, a patient can get infected at a hospital or clinic that has such protocols in place. The reasons for such anomalies include lapses in conformance to the protocol and inappropriate protocol relative to potential infection vectors.
Such language maps closely to the demands of healthcare data protection, which could be described as the prevention and control of unauthorized access to protected health information. Clearly there is a need for healthcare organizations and their employees to fully comply with “policies and procedures that are appropriate to the threats.” Getting people to comply requires organizational commitment from the top down, backed by the adequate equipping and educating of staff at all levels.
But what if those policies and procedures are not appropriate to the threats? What if the infection vectors are different from those you trained to defend against, or the threat agent more virulent than you supposed? That’s where a lot of health data security breaches occur, in that gap between established practices and emerging threats. The difference between being “HIPAA compliant” and “secure” often comes down to underestimating threats.
Some threats are relatively advanced. By now, every part of a healthcare system should know that its systems hold the same kind of data – patient names, addresses, birth dates, telephone numbers and Social Security numbers. That data that is very attractive to criminals operating in America or on the other side of the planet. Anyone assessing risks to healthcare IT systems needs to know that, just as doctors and nurses go to work every day to help people, there are some folks who go to work every day to steal the data in those systems.
Right now you can do that from anywhere in the world with very little risk of being caught or punished because you can sell that stolen identity information on the black market. Who buys it? A different kind of criminal, closer to home and prepared to take a chance on identity theft.
For example, a crook who buys the type of data that was stolen from community health can use it to file fake tax returns that fraudulently claim refunds. That explains why, last April, scores of medical professionals were unable to file their returns: Somebody else had already done it for them. And this is not a rare occurrence. In 2013, the IRS estimated there was about $29.4 billion in attempted identity theft refund fraud. The good news is that $24.2 billion was prevented or recovered.
Here is more bad news: $5.2 billion went to criminals, causing so much trouble for the hundreds of thousands of people who didn’t get the refund they expected, some for as long as nine months after they filed.
In other words, when we talk about “IT security policies and procedures that are appropriate to the threats,” we need to be aware that one of those threats is a multi-billion crime scheme that may be initiated from afar but is ultimately cashed out very close to home. Hackers on the prowl for data to steal for use in identity theft is just one of the threats that needs to be taken into account as you develop appropriate IT defenses. However, if you are realistic about the nature of today’s threats and address them with a goal of strong protection rather than mere compliance, you will establish a much more resilient organization that is not only well-defended, but also defensible, should it ever come under scrutiny.