health data security– it`s more than just a hipaa issue

HEALTH DATA SECURITY –
IT’S MORE THAN JUST A HIPAA ISSUE
The Community Health System (CHS) health data breach has released a new flood of articles concerning health data security
(HDS). Some of the articles predict an evolving epidemic of health data breaches with a professed antidote of greater
vigilance to HIPAA regulations1. However, the challenges of HDS go far beyond HIPAA alone.
Information hacking has evolved from merely a niche activity, conducted for retaliatory intent or to amass notoriety, to a fullscale, economically motivated “business.” Hackers function within extremely sophisticated operating environments, complete
with international switching mechanisms, open source code and “bot” sharing, business continuity and disaster recovery
capabilities, and security protection that exceed those of the organizations they attack.
The progression of information hacking is partially explained through the transition from deliberate targeted attacks to
opportunistic attacks based on information obtained from reconnaissance scans2. Hackers are using bots to generate millions
of probes scanning for both the breadth of an organization’s information presence and the vulnerability of their information
assets. When a high-value – i.e., large information presence – organization is detected and appears to be vulnerable,
hackers launch targeted attacks intended to compromise the organization’s information assets.
Prompted by Meaningful Use required patient portals, access to health information through mobile devices by both patients
and providers, and information sharing via health information exchanges, the information breadth of all healthcare
organizations is rapidly expanding. Such growth will increasingly identify these organizations as opportunistic targets for
attacks. Additionally, as medical devices increasingly depend upon the collection, processing and communication of data,
information presence broadens even more.
HDS vigilance is certainly paramount, but needs to be complemented with advanced detection and rapid intervention.
Detection needs to recognize scanning probes, not just targeted attacks. Once detected, aggressive intervention needs to be
enacted prior to the occurrence of a targeted attack. Only through such an expanded approach that incorporates HIPAA
regulations, rather than depending solely upon them, can organizations enact truly effective HDS programs.
For more information, contact
The Huntzinger Management Group, Inc. at
570.824.4721 or email at [email protected]
huntzingergroup.com
1. Eastwood, B. (2014, August 25). Community Health Breach Highlights Healthcare Security Vulnerabilities | CIO. (n.d.). Retrieved from
http://www.cio.com/article/2597970/healthcare/community-health-breach-highlights-healthcare-security-vulnerabilities.html
2. Ransbotham, S. and Mitra, S. (2009) Choice and Chance: A Conceptual Model of Paths to Information Security Compromise.
Information Systems Research. doi:10.1287/isre.1080.0174