By S. LAMAR BARNETT, MS
I shook my head as I carried the second of two clinic desktops to my car. I would never return to Dr. Langston's (named changed) office, closed permanently due to massive HIPAA fines. These systems couldn't simply be discarded; all patient data must be irretrievably destroyed.
Why is this tragedy played out so commonly when a little investment of time to assure HIPAA compliance would prevent it? Fines can pile on within a few weeks of the pain of having to announce a breach. Sadly, it's all completely avoidable.
As it turned out for Dr. Langston, there was abundant need for destroying patient data. The two systems were full of files resplendent with patient details, stored without encryption or access security. Not only that, but the main Windows login, with administrative rights, did not require a password.
It defies explanation. How could a clinician be so careless with the security of their patient data?
HIPAA regulations are designed to secure the data, and the requirements provide a clearly detailed checklist. Once implemented, audit by the federal Office of Civil Rights (OCR) becomes much less scary.
But all the components of the HIPAA checklist must be continually addressed, so the security of the patient data management system adapts to constant changes which inevitably occur – new data entry personnel or other users, computer program changes, computer device replacements, new equipment added to the network. For instance, the requirements for system security, user training, and policies and procedures must be initially implemented, followed by activities which document and assure continued compliance. When clinics aren't accustomed to HIPAA requirements, it takes some time to evolve the culture to consistently keep logs of required activities, conduct periodic audits, and assure each user is effectively trained and routinely refreshed on effective practices.
For example, one of the most well-known of security breach methods, a ransomware attack, is much less probable when HIPAA security is implemented. This alone would seem adequate justification for assuring careful adherence to the HIPAA Security Rule.
Why has ransomware become so popular with hackers? The answer is that a little investigation gains the hacker knowledge of a system with a lot of sensitive data, held by an organization with ample resources.
Then with a single breach, a large payoff is possible.
The success of this attack model relies on three factors, which until recently have been common in the hackers' targets. First, the owner’s system must contain vitally important data. Second, the systems must not be securely hardened. And third, the owner must not have sufficient backups to rebuild their system.
In the past, it's been easy to find organizations where all these factors align. But with growing awareness of the importance of hardening and effective backups, fewer system owners are such a good target. Because of this, many ransomware hackers have changed their strategy.
It's becoming more common for the threat actor to silently inject malware into systems, remaining hidden while finding and exfiltrating confidential data. Regardless of whether patient data is held on a local system or maintained in the cloud (often through an encrypted portal), the hacker can gain access to it by a variety of methods.
Once a significant portion of sensitive data is extracted, the hacker will spring the trap. They now have options to extort the owner by threat to publish the stolen patient data or to employ classic ransomware tactics. The system owner is faced with the choice of paying extortion fees or accepting loss through litigation and reputation damage.
How often does this happen? You may already be aware that the incidence is rapidly increasing. A recent estimate is that 30 percent of all systems in the U.S. are infected with malware.
Adherence to HIPAA requirements doesn't guarantee a breach won't occur. It does assure that the impact to the business by HIPAA fines will be minimized.
Not all aspects of HIPAA Security Rule involve technical configuration manipulations or modification to systems. In fact, a large portion don't, such as user training. It pays for all employees to be aware of risky behaviors. Estimates are that 85-95 percent of successful breaches occur through phishing, i.e., using email communication to deliver a malware payload to a user's device. Common phishing techniques are to include a link which takes the user to an infected server, or to attach a file containing malware, injected when the attachment is opened.
The more convincing an email is, the more likely a user will fall prey to it. Spear phishing—incorporating a user's personal interests to craft a more enticing email—is now often employed to improve the chances of user complicity.
Where do they get this personal information? A hacker need go no further than Facebook, Instagram, or LinkedIn. These media are usually rich with data about an individual's hobbies, family, and work, and an email touching on one of these areas is much more likely to be opened without a second thought.
Believe your users are protected from this sort of attack by antivirus programs? Think again. One recent estimate is that 360,000 newly developed malware programs are launched in the world each day—programs for which no recognizable signature is available. These are known as zero-day exploits, unrecognized by antivirus definition lists.
Continual user training is a must. Keeping hacker tactics in the forefront of users' minds means they can be more aware when phishing emails land in their inbox, resulting in fewer breaches.
Knowledge that every device on a network can be a source of malware infection increases awareness and thereby more effective network hardening. Any device which uses network WiFi is capable of introducing malware.
No system is completely secure. All we can do is apply layer upon layer of hardening techniques. With each layer of protection, the risk of breach is lowered, and HIPAA kindly provides a road map to apply key protections.
Lamar Barnett is Founder and President of Steel Bubble, LLC, specializing in cybersecurity for small businesses and individuals. With more than 30 years of experience in software development and IT in organizations such as Capital One, NCR, and Memorex-Telex, he now shares his expertise to ensure HIPAA compliance and help lower risks associated with conducting business online. Find him at www.intromybiz.com/steelbubble