WinMagic
Another day, another data breach. Recent high-profile attacks reveal the hackers’ techniques are evolving – and so are the targets. In 2014, security breaches hit the retail industry hard, but in 2015, it’s healthcare providers that are taking center stage for a new wave of attacks. On a single day in January alone, two U.S. healthcare insurance providers reported to the FBI they suffered breaches, together exposing nearly 100 million customer records, including names, birth dates, Social Security numbers, contact information, and personal medical histories.
Just as breaches affecting Target and Home Depot begged a closer look at the PCI Data Security Standard, it didn’t take long for the U.S. Office for Civil Rights – the enforcement arm of the Health Insurance Portability and Accountability Act (HIPAA) – to respond after the Anthem incident with a plan to thoroughly audit compliance in the coming year.
Similar to the limitations in the PCI DSS and other industry-specific compliance standards, the promoted check-box approach has proved to leave holes in the security structure for hackers to exploit. Instead of a provincial view on these prescriptive rules, industry executives must consider a holistic view of their company’s security strategy. While compliance does not necessarily mean data security, a focus on security – in terms of risk, confidentiality, integrity, and availability – is likely to cover a lot of compliance.
A closer look at HIPAA
HIPAA emerged in 1996 and is anchored by the twin goals of “standardizing the electronic exchange of data between healthcare organizations, providers, and clearinghouses,” and “protecting the security and confidentiality of protective health information.”
To that end, a set of privacy standards has been disseminated by the Department of Health to ensure healthcare organizations, health plans, and providers adopt the guidelines and are held accountable to them. Those guidelines include stipulations about where healthcare data is stored and how it is protected from unauthorized access – in alignment with the overarching mandate of the act that PHI remain secure at all times.
Problems surface due to the complexity of federal regulations and the vague, ambiguous language used to iterate the standards. HIPAA’s regulation for data protection is to implement “reasonable and appropriate” measures, but it offers no guidelines for the qualifications of such standards. This subjectivity creates an environment of confusion and ambiguity.
Change at the state level
An interesting trend in the healthcare industry is the state government’s reaction to a breach of a local healthcare provider. After investigating attacks and auditing the security system in place, state legislatures vote to pass their own security standards for healthcare providers and other involved businesses. The one area state legislatures focus on time and time again is encryption.
For example, earlier this year, New Jersey passed a bill mandating health insurance companies in the state to use data encryption. This action followed the theft of two unencrypted laptops that caused the Horizon Blue Cross Blue Shield breach in 2014.1 After the recent attack on the locally based Anthem, Connecticut aimed to follow suit. Similar laws existed already in Nevada and Massachusetts, providing models for the other states.
Top-down security approach
ISO 27799 is the international standard that exists and exemplifies a security standard with intent. CIOs and CSOs complying with HIPAA in the United States, or PHIPA in Canada, should consider cross-referencing these lists with ISO to formulate a top-down security strategy.
As U.S. state legislatures have started to notice, encryption is too important to be a vague suggestion for a security standard. While HIPAA doesn’t require full-disk encryption, it is important for data to be encrypted, whether at the endpoint or in the cloud. This ensures that data is always encrypted, whether it is in transit or at rest. Additionally, a management policy should be enacted so that the encryption keys are held securely and within the enterprise. With a key manager, the encryption keys are provided only on demand when necessary, which means it will be deleted from memory once the decryption process is complete, and access is more tightly controlled by policies that can be updated whenever necessary. This means that, if there is a breach, the impact can be reduced simply by updating a central policy in the key manager.
Complying with regulations such as HIPAA can be a challenge in and of itself. While remaining inline and up to date on compliance and regulations is essential, one can easily end up missing the bigger picture of what is trying to be accomplished. CIOs and CSOs should look at compliance as a one-time snapshot or status of where things stand – or should stand. From there, building out holistic security programs will allow for longer-term security strategies to be put in place.
Reference