[BreachExchange] Healthcare Data Breaches In The Age Of HIPAA — A Chronic Or An Acute Condition?

Audrey McNeil audrey at riskbasedsecurity.com
Thu Aug 4 19:48:41 EDT 2016


http://www.healthitoutcomes.com/doc/healthcare-data-
breaches-age-hipaa-chronic-acute-condition-0001

A recent study by the law firm Baker Hostetler revealed more healthcare
data breaches occurred in 2015 than any other type of data security event.
The report agrees with previous analyses indicating healthcare is
consistently one of the industries most affected by privacy and security
violations.

Violations of the Health Insurance Portability and Accountability Act of
1996 (HIPAA) are especially difficult to detect and potentially calamitous
because of that difficulty. If a single Social Security number leaves a
healthcare provider’s facility, the loss can be catastrophic to the holder
of that Social Security number. Almost by definition, data losses by
smaller providers don’t hit the radar, or the headlines, but that doesn’t
diminish their power to do real damage. In the case of that Social Security
breach, every patient that provider serves is a victim as well. And smaller
organizations have both a harder time being secure and being aware of their
security situation.

It’s generally smart to install Data Loss Prevention (DLP), the standard
software methodology to determine if a breach has occurred, but DLP isn’t a
panacea and can monitor only so much. While DLP may make life easier, it’s
certainly not required of HIPAA compliance.

While DLP software deployment is essentially a minimalist approach, that
doesn’t make it any less necessary. But other risks abound and, without
being alarmist, are actually becoming more acute. Distributed Denial of
Service (DDoS) attacks are insidious and by no means limited to larger,
more visible healthcare institutions.

Given the rising threat of malevolent actors subjecting hospitals and other
enterprises to ransom demands and the sheer frequency of DDoS incidents,
organizations need to up the ante in terms of how they regard security as
well as how they anticipate and respond to the risk of business
interruption online. Savvy hosting providers are implementing DDoS attack
protection for their healthcare clients across the board. As the security
environment changes, so should every organization’s response to that
environment.

The perp in this case is the massive volumetric attack. These types of
attacks represent something new and especially troubling, and no single
firewall can stop them. According to industry analysts, volumetric attacks
rank as the most common type of DDoS incident, accounting for an estimated
65 percent of the total reported.

What makes these volumetric attacks special? Consider that a front-line
hosting company typically supports multiple one gig per second interfaces
to the Internet. When someone begins a volumetric attack, they’re likely to
send 800 gigs per second through a pipe that simply can’t accept anywhere
near that much data.

New, state of the art volumetric attack protection provides real-time DDoS
mitigation through automatic analysis of DDoS alerts and deployment of
routing commands to ensure that immediate action is taken when legitimate
DDoS attacks are detected — all without any human intervention. Volumetric
attack protection is precisely the kind of proactive step that
HIPAA-compliant providers need to take on behalf of their healthcare
clients.

Every upstream provider that handles data needs to sign a business
associate agreement (BAA) in order to be in the HIPAA food chain. A BAA
under HIPAA is a sort of promissory note that the IT provider will adhere
to the HIPAA law. But a BAA doesn’t compel compliance or insulate providers
from liability or responsibility — that’s why healthcare providers looking
for IT support need to exercise extraordinary due diligence. As of right
now, there’s a persistent lack of clarity around HIPAA, and nothing has
been tested in court. The fact is, HIPAA compliance comes with disturbingly
few obligations. Perhaps owing to whatever legislative sausage-making gave
birth to the law, HIPAA offers no guidance on how to follow it.

That said, healthcare providers are still subject to the full extent of the
HIPAA law. The prudent strategy is to partner with a technology vendor the
healthcare provider can validate as fully engaged in HIPAA protocols. HIPAA
compliance should be regarded as a responsibility and an opportunity — not
a burden.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160804/f43719de/attachment.html>


More information about the BreachExchange mailing list