When it comes to patient data privacy, compliance and security differ

Get a copy of the upcoming book "Secure Operations Technology"

If a name perfectly underscored a growing issue of concern, it’s Anthem. In February, the health insurance plan provider disclosed cyber attackers had breached its IT system for several weeks and obtained consumers’ personal data. The message this revelation spread is that healthcare-related organizations are increasingly prime targets for hackers and cyber thieves.

Retailers, of course, also have been frequent marks, with millions of consumer files breached. But with the retail industry toughening its data defenses and financial institutions cancelling cards to protect consumers, cyber crooks are turning to what they consider more valuable and vulnerable targets: healthcare organizations. Blame the growing number of entry points to protected health information and other sensitive data via electronic health and personal records.

In addition, for one reason or another, many healthcare-related organizations just haven’t done all that much to tighten their network security or invest in more sophisticated event monitoring to better secure their patients’ records, including health and financial data.

As a result, healthcare organizations accounted for 42 percent of all major data breaches reported in 2014. And Experian, which issued its second annual Data Breach Industry Forecast in December, expects that percentage to grow “until the industry comes up with a stronger solution to improve its cybersecurity strategies,” as asserted by Michael Bruemmer, vice president at Experian Data Breach Resolution, in a written statement accompanying the report.

Why the problem?
Why healthcare organizations – from hospitals, physician groups, pharmacies and others that process healthcare data – haven’t done more on the security front?

To be sure, they recognize they must comply with federal regulations dictated by the Health Insurance Portability and Accountability Act of 1996, or HIPAA. Among its primary goals is to protect the confidentiality and security of healthcare information. The Department of Health and Human Services’ Office for Civil Rights enforces the HIPAA Privacy Rule, Security Rule, Breach Notification Rule and the confidentiality provisions of the Patient Safety Rule.

Healthcare organizations know they have other compliance regulations and standards that affect them – Payment Card Industry Data Security Standard (PCI-DSS) for example, which sets an information security standard to protect consumer data privacy, applicable to all organizations accepting credit cards.

Penalties for violations can be steep. HIPAA fines alone can start at $100 and go as high as $50,000, capping at $1.5 million depending on the scale of the breach. From 2009 through May 2014, $25.1 million in fines were levied.

But those penalties were assessed after data breaches occurred. HIPAA enforcers don’t do much, if any, proactive monitoring or policing. In addition, under HIPAA, healthcare providers have “required” and “addressable” specifications to decipher and they remain fuzzy. When rules are left up to interpretation, many companies collecting sensitive health information will not go beyond what is mandatory to secure it.

Further, a growing number of technology-related apps and tools are emerging in the health field. These are being offered by many major healthcare organizations to offer convenient service, and are collecting personal and health information – like home addresses, prescriptions and more – but don’t fall under HIPPA standards.

Consequently, many healthcare-related organizations would rather take their chances with being hacked than pay the sizeable capital expenses required for establishing layered IT defenses. What healthcare organizations are banking on is the oversight that when it comes to patient and consumer privacy, compliance and security are the same.

An increasingly popular alternative
The avalanche of healthcare-related data breaches is waking up the industry, especially large organizations – from hospitals and insurers to major pharmacy companies with or without walk-in wellness clinics – to do more on the security front. Increasingly, they are turning to managed security service providers, or MSSPs.

Health companies’ extended branches and store locations are collecting more patient and customer data than ever before, and by employing a security service provider, organizations install a defense for their entire distributed network – not just headquarters. An MSSP manages complex monitoring and advanced correlation techniques to identify and track suspicious network behavior. Logs are collected from all medical offices and stores within a network, and channeled into one location, where experts compare events, and pick up on issues that traditional security devices are unable to interpret.

Without correlation and a human security expert monitoring, no hardware/software alone could make these connections. A strong MSSP not only secures its clients’ networks but also educates them on ways to better secure their infrastructures. It uses the latest Security Information Event Monitoring (SIEM), antivirus, antispam and management services to identify where network patches are needed, and assist the company’s’ internal network by defining susceptibility. Plus, an MSSP can provide guidance and suggested solutions to organizations who must become security compliant.

As the Internet, the Cloud and the nascent Internet of Things grow ever-more complex and vast, it’s just a matter of time before every healthcare-related organization will grasp the consequences of a data breach – not just financial but reputational. But, by then, it may be too late.