Healthcare Security: Average at Best?
Security Experts Give Mixed Grades to Healthcare Entities, BAsIn the wake of HIPAA Omnibus, healthcare organizations and business associates overall are doing a lackluster job with information security, and many are still failing to do even the basics well, some experts say.
See Also: Critical Condition: How Qilin Ransomware Endangers Healthcare
"Of organizations I work with, I'd give them a C minus," says Brian Evans, a principal security and privacy consultant of Tom Walsh Consulting. "We have a ways to go. Blocking and tackling and fundamentals in information systems programs continue to be missed."
Evans isn't alone in his assessment. An informal survey of several security and privacy experts, including several consultants and a former government regulator, finds most give an average grade at best for the overall state of information security at covered entities and the business associates that provide services to those organizations. And some organizations are doing even worse.
Weak Spots
Among the most common weak spots are some basic but important aspects that make a strong information security program: timely and thorough risk assessments, documented policies and procedures and relevant workforce training. Those are also areas that, with appropriate focus, can be vastly improve the "grade" of information security programs, experts say.
"What I have seen in my experience at OCR and now in the private sector is a significant variability based on the size, scope and, frankly, the commitment of an organization to securing health information," says David Holtzman, who recently left his post as a senior adviser at the Department of Health and Human Services Office for Civil Rights, which enforces HIPAA.
While some organizations are making "tremendously valiant efforts" in their programs for securing patient data, unfortunately, that's not the case everywhere, says Holtzman, who's now vice president of privacy and security compliance services at consulting firm CynergisTek.
"At other organizations of the same size and type, leadership looks only at the return on investment," he says. "And because they are not aware they've ever had a breach or have never been the subject of an OCR or federal investigation involving health information privacy or security, they are just willing to roll the dice and take the risk."
Wide Variation
Although organizations of any size and type can have difficulties in their info security efforts, the biggest struggles are often seen among smaller healthcare providers and business associates.
"Relatively few organizations I encounter have excellent security programs since it takes ongoing executive level commitment and money," says Kate Borten, principal of security consulting firm The Marblehead Group. "Even within an organization, programs are uneven," she says. "Many hospitals, for example, do some things well, but then fall down in other areas."
Among covered entities, however, small clinics and physician practices are the weakest, she says. And although "some BAs are totally committed to security and privacy and their culture and processes reflect it ... many other BAs are just learning what security is all about," she notes.
Andrew Hicks, a director and healthcare practice lead at consulting firm Coalfire, also sees great disparities in the efforts of healthcare organizations versus BAs.
However, under the HIPAA Omnibus Rule final rule, which went into effect last year, BAs, like covered entities, are now directly liable for HIPAA compliance. Those vendors, too, now face OCR penalties of up to $1.5 million per HIPAA violation.
While many of the covered entities he deals with are doing "average" in their efforts, many BAs new to HIPAA compliance demands are failing, Hicks says
"These are the guys who are still spelling 'HIPAA' with two Ps, and they have no idea what they're on the hook for," he says.
Room for Improvement
While the experts say there's likely to be a continuation of variant success among healthcare entities and business associates in their information security efforts, there are a few key steps that can help quickly improve the grades of those who are struggling the most.
Those steps include basic tasks that were also found to be major weaknesses by OCR in its 2012 pilot HIPAA compliance audit program that evaluated 115 covered entities, Holtzman says.
"A lot of things tie back to doing a risk assessment, having policies and procedures in place, encryption - those are the top priorities, and have been for some time in terms of kick starting your compliance program," he says.
The basics also include getting security buy-in from an organization's leaders, assigning accountability, as well as having in place a breach response plan.
For instance, many healthcare organizations use a "volunteer firefighter model," taking inadequate steps to prepare for incidents, Evans says. Organizations need to assign in advance the key players who should be involved with incident response, he says.
Also, because many breaches involve insiders, workforce awareness programs are another area that need improvement at many organizations, Borten says.
"Commercial training products often have inadequate content, incorrect information about HIPAA, and poor test questions," she says. "Organizations need to customize or supplement that training content with their own specific security policies. Generic content only goes so far."
Finally, there's one key factor that all healthcare entities and BAs need to keep in mind when it comes to their overall information security programs, Holtzman says.
"Health information and your data - if you're an organization in healthcare, you should look at that as the most important asset that you have and take appropriate steps to protect it, just as you'd protect the financial streams and the payment streams that are coming through your organization," he says. "Value it as you would any prime financial asset, and invest in it."
A free March 25 webinar will feature a summary of the results of the third annual Healthcare Information Security Today survey from Information Security Media Group. A report on the full results of the survey will be available in April.