HIPAA has been widely touted as the gold standard for privacy within the healthcare field. Over the past decade, organizations have overhauled their IT systems to ensure data storage, access and login procedures are in line with HIPAA’s stringent requirements. But according to some security professionals, they may be doing so at the expense of other security measures.
A recent article in Health Data Management discusses the newly revealed cyber attack against Excellus BlueCross BlueShield. While the attack occurred some time in December of 2013, it was only made public last week that personal information about at least 8.5 million customers had been breached. According to Mac McMillan, CEO at security consultant CynergisTek, the problem isn’t a lack of vigilance, but a hyper-focus on meeting HIPAA requirements.
“We’re focusing on HIPAA at the expense of just improving security,” said McMillan. He said that many healthcare organizations are caught up with complying with HIPAA on a granular level, making sure users have proper IDs and passwords governing their access levels. But they are doing this at the expense of enforcing strong passwords that are regularly changed and are abandoning other standard security practices as well.
One of those standard practices is data encryption, and some healthcare organizations are simply not using it over fears it will slow down processing speeds. Many large companies are simply not monitoring their networks since it isn’t a priority – until something like the Blue Cross hack happens to get them to take notice.
Having proper monitoring and detection solutions running along the network perimeter can go a long way toward preventing unwanted traffic, along with encrypting both devices and data and implementing stringent firewall rules. McMillan adds that implementing proper procedures along with remediation services for cleaning and recovering networks before attacks occur is also a major defense against a cyber attack.
Another major security measure many healthcare organizations haven’t taken is to segment their networks, putting critical data in areas that are not as accessible as the rest of the network. And of course, certain data absolutely needs to be encrypted, even at the expense of fast processing speeds.
Finally, healthcare organizations can look to trusted security professionals and consultants to handle some of the burden. By simply outsourcing the task of monitoring login information, these companies can benefit from having trained professionals analyzing login activity and attempts on a 24/7 basis, preventing disasters like the Blue Cross cyber attack.
Edited by Rory J. Thompson