[BreachExchange] Are Small Hospitals More Vulnerable to Data Breaches?

Audrey McNeil audrey at riskbasedsecurity.com
Thu Jan 4 18:57:27 EST 2018


Hospitals face significant challenges in protecting patient data, and these
challenges are even more acute for small community hospitals, which
sometimes experience issues with staffing and lack of expertise.

The most obvious issue facing many hospitals is simply the age – and in
some cases, the near-obsolescence – of their hardware. Outdated software
such as Windows XP or old versions of SQL have security holes that cyber
thieves can easily exploit. Even if a hospital runs more recent
applications, it may not update them often enough. Software patches should
be applied every 90 days, not once a year, as some hospitals do.

Many hospitals, especially in rural areas, don’t have sufficient health IT
staff. Seven out of 10 providers report that their IT departments are
understaffed, according to a survey by the Health Information Management
and Systems Society (HIMSS). The IT professionals in these facilities are
so focused on day-to-day issues and putting out fires that they don’t have
enough time to focus on big-picture issues such as data security strategy.
While the national shortage of health IT workers is partly to blame, many
smaller hospitals simply can’t afford to hire more staff.

Nevertheless, the security of protected health information (PHI) is not
optional. For one thing, it is required for compliance with the Health
Insurance Portability and Accountability Act of 1996 (HIPAA). Security
breaches can also harm patients and lead to costly class action suits.
Community hospitals must figure out how to up their security game without
spending a lot more money on health IT.

Greater Security at Lower Cost

Hospitals can solve some data-security problems while reducing their
in-house IT expenses by moving from on-site to cloud-based data storage.
This approach gives hospitals always-available backup and disaster recovery
capabilities. It also removes the need to maintain and update much of the
hospital’s IT infrastructure, and it can save hospitals the cost of buying
new hardware at regular intervals.

Transitioning PHI to the cloud greatly reduces security risks associated
with employees and others having physical access to servers in an on-site
center. With cloud storage, a rogue employee or criminal can’t simply open
a door and damage or remove hardware.

The cloud also helps hospitals overcome the issue of having too few staff
members dedicated to protecting PHI. Cloud providers have highly trained
teams responsible for security as well as 24/7 monitoring systems. When
using a cloud provider, a hospital “inherits” that company’s security
posture and its technical policies and procedures to protect PHI. From
reviewing audit logs to active patch management, administrative rights and
access controls, cloud providers generally offer greater security than
on-site client-server systems, because these tasks are what they specialize

Moreover, when a hospital hires a HIPAA-compliant cloud provider, the
latter must sign a business associate agreement (BAA). Under a BAA, the
cloud provider takes legal responsibility for safeguarding the PHI on its

Security Risk Analysis Basics
Community hospitals, like other healthcare providers, must perform security
risk analyses (SRAs) to comply with the HIPAA security rule. Some smaller
facilities try to perform these analyses on their own, but that is a
mistake. In most cases, they lack sufficient staff to do this work on a
regular basis. They also lack the expertise required for this complex task.

Within the SRA are three “buckets” of safeguards:

- Administrative
- Physical
- Technical

The most important technical safeguard involves the encryption of data, not
only when the data is in use, but also when it’s at rest and in transit. A
key point here is that HIPAA regulations do not require PHI to be encrypted
when the data is at rest. However, sophisticated hackers try to penetrate
databases to steal the maximum amount of data, so failing to encrypt data
can have serious consequences.

HIPAA requires healthcare systems to maintain exact duplicates of all
records. The big question here is: How often do you back up your data? We
recommend that hospitals back up mission-critical data daily and do full
backups weekly. These backups need to be encrypted and kept off site. The
advantage of daily backups is that, if a hospital is hit with a ransomware
attack, it has only lost one day of the data its providers need to deliver

Compliance Dashboard

One recent innovation that has made HIPAA compliance easier is a dashboard
that monitors hospitals’ IT systems and alerts staff to any potential
problems. Ideally, the compliance dashboard would track anti-virus,
anti-malware and intrusion detection systems, along with audit reporting
and raw logs of all operating system activity in one centralized location.
A key portion of this dashboard is a HIPAA-compliance scorecard that maps a
hospital’s compliance with HIPAA regulations, providing hospital
administrators with a daily update on compliance status.

The most important part of an SRA is the remediation plan, which
prioritizes issues and describes how to address them. Classifying risks
into categories of high, medium and low concern, the remediation plan
focuses on the highest risks and lays out the steps needed to improve
security in those areas. This process is very educational for a hospital’s
IT staff, who appreciate the ability to deepen their professional knowledge.

While it may seem daunting at first, transitioning PHI to the cloud offers
numerous advantages to hospitals and health systems, including lower costs,
greater security and less liability exposure, when compared with on-site
data centers. No hospital is able to mitigate every risk, but
administrators can rest easier knowing that their data is secure with an
experienced cloud provider. Staying out in front of hackers is always a
race, but moving PHI to the cloud can help keep hospitals one step ahead.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180104/074e19c0/attachment.html>

More information about the BreachExchange mailing list