HEALTH DATA SECURITY – IT’S MORE THAN JUST A HIPAA ISSUE The Community Health System (CHS) health data breach has released a new flood of articles concerning health data security (HDS). Some of the articles predict an evolving epidemic of health data breaches with a professed antidote of greater vigilance to HIPAA regulations1. However, the challenges of HDS go far beyond HIPAA alone. Information hacking has evolved from merely a niche activity, conducted for retaliatory intent or to amass notoriety, to a fullscale, economically motivated “business.” Hackers function within extremely sophisticated operating environments, complete with international switching mechanisms, open source code and “bot” sharing, business continuity and disaster recovery capabilities, and security protection that exceed those of the organizations they attack. The progression of information hacking is partially explained through the transition from deliberate targeted attacks to opportunistic attacks based on information obtained from reconnaissance scans2. Hackers are using bots to generate millions of probes scanning for both the breadth of an organization’s information presence and the vulnerability of their information assets. When a high-value – i.e., large information presence – organization is detected and appears to be vulnerable, hackers launch targeted attacks intended to compromise the organization’s information assets. Prompted by Meaningful Use required patient portals, access to health information through mobile devices by both patients and providers, and information sharing via health information exchanges, the information breadth of all healthcare organizations is rapidly expanding. Such growth will increasingly identify these organizations as opportunistic targets for attacks. Additionally, as medical devices increasingly depend upon the collection, processing and communication of data, information presence broadens even more. HDS vigilance is certainly paramount, but needs to be complemented with advanced detection and rapid intervention. Detection needs to recognize scanning probes, not just targeted attacks. Once detected, aggressive intervention needs to be enacted prior to the occurrence of a targeted attack. Only through such an expanded approach that incorporates HIPAA regulations, rather than depending solely upon them, can organizations enact truly effective HDS programs. For more information, contact The Huntzinger Management Group, Inc. at 570.824.4721 or email at [email protected] huntzingergroup.com 1. Eastwood, B. (2014, August 25). Community Health Breach Highlights Healthcare Security Vulnerabilities | CIO. (n.d.). Retrieved from http://www.cio.com/article/2597970/healthcare/community-health-breach-highlights-healthcare-security-vulnerabilities.html 2. Ransbotham, S. and Mitra, S. (2009) Choice and Chance: A Conceptual Model of Paths to Information Security Compromise. Information Systems Research. doi:10.1287/isre.1080.0174