Targeted Attacks: Increase Focus on Healthcare
In the last six months there has been one industry that has been in the limelight for being attacked and breached at a greater rate than others-healthcare. When HIPAA was enacted, it was designed to, among other aspects, further secure the patient’s data, medical records, and personal health information. This should be done within the template and parameters provided by HIPAA. The statute is relatively clear as to the guidance.
Although HIPAA is well publicized, there has been a bit of a cottage industry centered on the application of security to the specific business environment. It seems as though daily there are emails sent by vendors that will assist in securing the environment where the health and patient information is maintained. This has taken the form of webinars, articles, seminars, consultants, etc. all willing to assist...for a price. These are purchased with ease and declare ease of application and a thorough application of HIPAA. With any service from multiple vendors, not all of the services are of the same quality. These would need to be vetted prior to purchase and implementation.
With the amount of effort present to secure the enterprise, patient records, and PHI, it would appear all is well. After all, with the vast number of resources from third parties along with government guidance, there should not be a significant number of issues in the environment. With the abundance of publications, the breaches should be minimal at best.
This however is not the case as this industry has been targeted at length at a greater frequency than others. There is a distinct value with medical records. Each medical record has a value that is significantly greater than dozens of credit card numbers. Although this value has declined within the last few months, it is still much greater than a consumer’s credit card numbers. Also, certain entities are not applying the HIPAA framework for their enterprise, or are applying a portion of this. With either result, the infosec platform is not being treated as it should to comply with HIPAA. It may be easier and less confrontational to not implement certain aspects, it is mandatory; not optional. For instance, if a third party is used for the business email, there are certain extra steps that have to be taken to comply with HIPAA, i.e. Business Associate Agreement (BAA). If this is not completely signed and implemented, the business is not in compliance and if there is an issue, the business and not the third party would be directly reviewed.
This does appear to be counter-intuitive. With the effects of non-compliance with HIPAA, it would seem as though the CISO and CTO would be jumping to complete the compliant acts. This is still not occurring. This phenomena is due to a series of issues present in the environment including but not limited to apathy.
About the author
Charles Parker, II has been working in the info sec field for over a decade, performing pen tests, vulnerability assessments, consulting with small- to medium-sized businesses to mitigate and remediate their issues, and preparing IT and info sec policies and procedures. Mr. Parker’s background includes work in the banking, medical, automotive, and staffing industries.