OnPage Corporation is the Secure Messaging/Critical Alerts Leader: Learn More…
The False Promise of HIPAA for Healthcare Cybersecurity
Article Courtesy of: Health IT Security
The recent ransomware attack on Hollywood Presbyterian Medical Center highlights the healthcare cybersecurity risks organizations face today. Unfortunately, this cyber attack also reveals the inadequacy of the HIPAA Security Rule to provide guidance on the numerous healthcare cybersecurity threats that are not associated with ePHI.
The reasons why HIPAA is poorly suited for the risks posed by cyber threats fall into three categories.
The first is that this regulatory approach is narrowly focused on the security of PHI and addresses only a part of the overall cyber threat.
The second is that a rules-based risk management approach does not work to mitigate the full range of cyber threats and cannot help healthcare organizations increase resilience against an attack.
Finally, a compliance approach to healthcare cybersecurity creates an organizational governance structure that inhibits framing cyber risk as an organization-wide issue and impedes executive and board engagement.
The HIPAA Security Rule established security standards for protecting electronic health information as an extension of the protections already contained in the previously adopted Privacy Rule. Recent experience demonstrates, however, that healthcare providers face numerous cyber risks that have nothing to do with patient information but nevertheless have potentially significant consequences.
The Hollywood Presbyterian attack reportedly did not expose patient data but it did disrupt hospital operations for 10 days and required a ransom payment to unencrypt electronic health records. That same week Magnolia Health Corporation was attacked and employee data was exposed requiring mandatory state breach disclosure and costs associated with identity theft and credit protection services.
In 2014, Boston Children’s Hospital was attacked, allegedly by the hacktivist group Anonymous, disrupting some hospital operations for “at least seven days.”
The rules-based, compliance oriented cyber risk management approach works well for healthcare providers that must be in compliance with HIPAA. The problem with this approach is that it gives false confidence to healthcare executives that HIPAA Security Rule compliance equates to effective cybersecurity risk management.
Harvard Business School professors Robert Kaplan and Anette Mikes have written that risk management is too often constrained by this compliance-oriented thinking. In order for healthcare organizations to develop and implement effective cybersecurity risk management programs they must recognize and mitigate two other types of cybersecurity risks: strategy risks and external risks.
Healthcare providers are making strategy decisions on integrating EHR systems, increasing the use of telemedicine and purchasing medical devices that are increasingly Internet connected, all of which introduce additional cyber risk not covered by HIPAA.
These strategy decisions need to be accompanied with a cybersecurity risk strategy to ensure that senior executives are aware of the cyber risks they are assuming and to be confident that these risks can be managed.
An increasing number of cyber risks faced by healthcare providers are external risks from criminals and hacktivists, some of which will not be prevented. In this case, cyber risk management approaches need to be designed to best understand and frame the range of possible consequences to healthcare organizations and develop plans to lessen the effects.
The time to have a plan for a cyber event is before it occurs not after.
Read the FULL STORY on Health IT Security
OnPage is The World’s Most Advanced Enterprise Priority Messaging Solution.