Back in 2009, the Health Insurance Portability and Accountability Act (HIPAA) was combined (or updated) with the Health Information Technology for Economic and Clinical Health Act (HITECH) to increase its strictness in line with social and technological advances. Despite this, many still claim that HIPAA does not go far enough to secure patient data, and the increasing regularity with which we see data breaches in the healthcare industry seems to confirm this.
So, what’s the issue? Are healthcare organizations that suffer breaches simply failing to meet HIPAA requirements, or is HIPAA not going far enough to ensure security?
Healthcare is a High Value Target
It probably isn’t a fair assumption to say that, because the healthcare industry sees a proportionately high number of attacks, that they must be lacking the data security that other industries enjoy. The healthcare industry, as a whole, is an appealing target for cyber criminals and insider threats alike.
Protected Health Information (PHI) and Electronic Protected Health Information (ePHI) both hold a higher value on the black market than regular Personally Identifiable Information (PII). In fact, some news outlets have reported that an Electronic Health Record could fetch up to 100 times the value of credit card information. We have seen healthcare organizations be the victims of sophisticated, targeted external attacks and we have also seen opportunistic insider threats taking place for this very reason.
Fewer HIPAA Breaches Are Being Reported
Depending on which news outlet you get your information from, you might find completely contrasting information on the volume of HIPAA breaches. An article from the HIPAA Journal claims that HIPAA violations have decreased from 326 in 2014 to 86 in 2018. But does this necessarily reflect that healthcare organizations are getting better at securing data? Or is this simply a failing on the part of HIPAA compliance itself to deal with data protection.
An article from Reuters, for example, claims that healthcare data breaches are on the rise, due mainly to large breaches of electronic systems. This coincides with regularly cited criticisms of HIPAA and other compliance regulations that they do not keep up to date with technological advances.
HIPAA Itself Could be the Problem
HIPAA itself is a fairly flexible compliance mandate. It does not provide specific steps to help you secure your data, but instead suggests that your data security posture is “reasonable and appropriate”. Many organizations and security teams struggle with the ambiguity of this phrase and would like more specific direction.
Throughout our conversations with customers it has become apparent that many organizations are using compliance as an indication of the success of their data security strategy. Our biggest piece of advice that we find ourselves repeating is that you must go beyond what is required in the compliance mandates that you are bound by. Use HIPAA as a baseline to start your data security journey.
In reality, HIPAA compliance is never going to be able to keep up with the rate of advancement of cybersecurity threats. Security teams need to be proactive in identifying the risk currently posed by their data and surrounding systems and take steps to mitigate it.
Speak to Lepide
Here at Lepide, we are specialists in helping healthcare organizations meet HIPAA compliance and improve the overall security of their data and the surrounding environment. We would love to demonstrate to you exactly how our data security platform, LepideAuditor, can help you proactively identify risk, prevent data breaches and meet compliance demands.