An unshaven man sits in front of multiple computer screens in a dark smoke-filled room. Sweat drips off his forehead while his fingers fly across a keyboard. We're not sure where he is, but his muttering is foreign to our ears.
Thanks to Hollywood, this is many people's vision of a typical cyber attack. But information security experts know this is just one possible scenario. Less compelling to imagine is the fact that one of the biggest threats to your data is a security guard that spends hours watching YouTube videos instead of doing his job.
The idea that physical security is not at as high a risk of being hacked is one of the biggest myths when it comes to healthcare security compliance. But it's not the only one.
Here are some of the leading misconceptions people have about where data is most at risk.
Myth 1: Our Facility is Physically Secure
Hospitals and other large clinical settings are targets of opportunity for thieves looking for personal information. Because these facilities are built for public access, protecting the data inside is not their primary objective. Data can be stolen many ways, not just over a compromised network.
Healthcare administrators should prioritize strengthening physical security controls and network security. Physical security controls include preventing unauthorized physical access to secure areas as well as preventing outright physical theft. Insider threats to physical security can come from current or former employees — custodial staff and security guards — to business partners, and contractors. Any employees, contractors, or volunteers with broad access should undergo a rigorous background check. Employees with such access should also have frequent security awareness training because their positions make them prime targets for social engineering attacks.
Improving physical security at data centers is another way healthcare companies can keep their data more secure. Data centers are especially vulnerable as they are the aggregation point for tons of patient data and critical systems that are vital to the ongoing mission of the hospital or medical campus.
The loss or theft of an individual workstation might be bad enough, but a stolen server or hard drive that is out of its normal location in a secured rack due to maintenance could represent millions of records in a breach report, and millions of dollars in fines for the unfortunate victimized organization. Criminal organizations are not above paying a disgruntled employee to pilfer these type of devices, as the payoff in identity theft can be substantial with these high-value assets.
Unfortunately, these types of things happen, but the good news is there are a number of measures data centers can take to make sure the physical structure remains secure.
Other things to consider for both hospitals and data centers: Have a security plan for each facility that takes into account the need for access as well as the sensitivity of the systems and data housed in that facility. Focus on risk appropriate controls for the perimeter and more stringent controls such as badge access, biometrics, and video surveillance for the most sensitive areas such as data centers and other places where data in paper or electronic forms is stored in large quantities. If the facility is not staffed on a 24-hour basis, be sure that alarms are installed and monitored to provide both a deterrence and alert for intruders.
Clearly, there are a lot of components to physical security, and each plays a role in helping to keep your data safe from those that want to steal it.
Myth 2: Our Existing Controls Are Strict Enough
Sometimes we rely on our intuition to gauge the strength of our security controls. Chances are if you make your users have 7 or 8 character passwords and also make them change them regularly, most of those users would think that security was pretty tight. Unfortunately, sometimes our intuition isn't enough to keep us secure or meet compliance mandates. Your organization might have adopted significant security controls, but are those controls rigorous enough both address your organization's security risks and be HIPAA Compliant?
Often times, even healthcare companies with tight security controls for their general business operations are not adhering to HIPAA requirements for their network monitoring, access controls and employee training. To reduce your risk, these areas should meet at least meet HIPAA standards.
Or perhaps your company has confused having a "certified" Electronic Health Record (EHR) system for Meaningful Use as being compliant with the broader HIPAA standards. Unfortunately, just having a certified EHR does not address many of the HIPAA security requirements that must be in place across the entire enterprise. The HIPAA guidelines were created for a reason — partial compliance increases your compliance risk, and likely your security risk substantially.
The best way to determine if you have gone far enough is a risk assessment. It should include both a technical assessment of your security risks through activities like vulnerability scans or penetration tests, an analysis of the various threats, vulnerabilities, and safeguards, as well as an assessment of how you stand against the HIPAA requirements related to Privacy, Security, and Data Breach Reporting.
Myth 3: We're Too Small To Be Hacked
Even small healthcare companies get hacked. The mindset that your company is too small to be a target can lead to lax security controls. In fact, some hackers prefer smaller organizations because they understand that they can be easier targets.
Should your data be stolen, your size will not protect you from a government audit and potential sanctions. The Office for Civil Rights will investigate organizations of any size when they suffer a data breach.
There are a number of examples where smaller organizations that experience data breaches are incurring hefty penalties, particularly if a subsequent OCR investigation reveals that the organization was not making a good-faith effort to comply with HIPAA.
In 2012, a five-physician practice in Arizona was fined $100,000 for posting surgery and appointment schedules on an Internet-based calendar that was publicly accessible. That was in violation of HIPAA standards and was cause for OCR to launch an investigation and ultimately take action.
The OCR takes into account the size of your organization, your budget and whether you have limited resources when doing an audit. As long as you've documented why you've made the choices you have, OCR will take this into consideration, but in all cases, you need to make sure you are meeting the HIPAA standards.
Myth 4: We've Never Had a Breach, So We Don't Need To Worry
If you haven't had a breach, you may be thinking your controls are working. That could be the case, but it might not be. Why take the risk?
Motorcycle riders have a saying: There are two types of riders — ones that have crashed and ones that are going to crash. Think of cyber attacks the same way. Your organization is likely to be breached at some point.
According to a September 2014 research study conducted by Ponemon Institute, 43% of respondents have experienced a data breach in 2014 and 60% have suffered more than one breach. So if you've avoided it until now, consider yourself lucky, but don't fail to review and adjust security protocols to adequately protect healthcare data.
Myth 5. HIPAA Compliance is Too Expensive
Yes, compliance costs some money, but not being compliant can lead to a huge fine from the federal government and loss of customer trust, not to mention loss of customers altogether. Plus, the notion that there needs to be a big technology spend on healthcare security compliance does not always hold true.
How much additional investment you'll need will depend on the current state of your company's security programs. In many cases, organizations have the basic tools already in place and the additional costs will be for administering security programs and compliance strategies. Debunking the Myths As you can see, there is a lot of misinformation about healthcare information security. There are many ways that data breaches can occur. While experts agree that there is no way to protect it 100 percent of the time, taking the necessary precautions can go a long way in protecting your information. Threats come in many shapes and sizes and being aware and proactive are the best ways to stop them.
Check out our free guide, Breach: Network Security Best Practices for Prevention, Detection, and Response, for more information on ensuring the safest network security for your firm.
On LinkedIn or Twitter? Follow us on LinkedIn and on Twitter @lbmcsecurity. Learn more about how our team at LBMC Information Security can help your team armor up with a wide range of network defense services. Contact us today!