Data Security Assumptions in Healthcare
By Stephen Trout, , HIPAA Blog, Resources, Security

The problem with our assumptions, someone once noted, is that we tend to assume they’re true.

(This, despite that old quip about what assuming does to you and me!)

But if, as Einstein posited, most of our assumptions are wrong – why don’t we question them more? 

Maybe we’re just caught in a feedback loop of what we’d like to believe – what’s comfortable. Why ask a fish about the water, right?    

But what we don’t see – or maybe don’t want to see – can sometimes hurt us. 

Take the question of healthcare security, for example. Questioning our assumptions has the potential to impact patients’ lives – and the viability of our businesses.

So why not try it? Asking questions is free, after all.

Here’s a start, with 4 possible assumptions we think are worth examining:

  1. “Compliant-with-HIPAA equals “secure,” doesn’t it?”

Not necessarily. We know it’s tempting to think, “Our cloud vendor’s service is HIPAA compliant, so our system must be secure too, right?” 

The nature of HIPAA compliance requires the right tools (vendors, etc.) and procedures to be in place, but also that they are used by you and your organization with vigilance – every day. 

While you can “inherit” infrastructure compliance with a proven, compliant HIPAA host, essential security can still be sacrificed by your organization. 

Take Email, for instance. You shouldn’t assume that a protected Email solution will automatically keep your employees from being taken in by a social engineering ploy, or phishing scheme packaged in an authentic-looking advertisement. 

A HIPAA-compliant Email solution can surely help – by highlighting protected Emails – but one click on a tempting link can open the door for a hacker. 

So, rather than assuming everyone will do the right thing, a smart approach to testing cyber preparedness is to regularly phish your own workforce. 

Alerting them (graciously) if they fail the test – rather than scolding, which only breeds resentment – helps keep the training proactive and helpful.

  1. “We really don’t need an incident response plan if we use antivirus tools, do we?” 

Perhaps you’ve heard about last year’s Ireland Health Service Executive (HSE) breach – now considered to be the largest computer attack against any health service system in history? 

More than 75 percent of the entire HSE IT environment was encrypted – a total of 54 public hospitals impacted. 700 GB of unencrypted data (the PHI of thousands of people) was exfiltrated. 

Since there was no cyber incident response plan or even cyber committee, this led to a much slower recovery for this much-relied-on hospital system. With impaired clinical efficiency,  patients suffered. 

What made matters worse for HSE was their assumption of being secure, based on the use of simple antivirus tools for detecting threats. 

What can we learn from this? Healthcare organizations would be better served by assuming that they will experience a breach instead.

Instituting strong incident response and disaster recovery plans is like having a first-aid kit in your office. It might save lives, or at least speed system recovery. 

  1. “A public cloud offering like Google isn’t as secure as a private, on-premise system, right?”

We’ve covered this assumption at length in other places, so we won’t give a lengthy response here. 

It’s true, we like to keep our possessions under a watchful eye. But having a server in the other room doesn’t guarantee security, just because you can see it. 

Nor does it mean that you can assume the equipment won’t fail, or the system that supports it will remain free from the latest novel virus. Unrecognized attacks and unexpected technology failures – as well as having to replace a server in a few years – can still happen.  

That’s why we opt for a cloud that’s designed with redundant systems, with a world-class security team assessing every attack. State-of-the-art servers and data centers, and security-by-design – with HIPAA Vault’s managed services and 24/7 support on top of it all – provides you layers of security that are hard to beat.   

A secure, state-of-the-art cloud can also allow us to pass on the cost savings to you, and improve efficiencies. Our HIPAA-compliant services to our healthcare customers are stronger and more accessible as a result.

  1. “We’re covered by TLS encryption on our Emails, so we’re secure, right?” 

No, sorry. TLS encryption secures your Emails in transit, but a fully secure transaction depends on both ends supporting it. If the recipient doesn’t support TLS – which you can’t assume they will – your Emails won’t be protected. Why risk an exposure of PHI?

A truly HIPAA compliant and secure transaction will alert recipients that they’ve received an encrypted Email, and provide them a link to a secure communication room. The link will direct them to a two-factor authentication login, and enable a separate code for them to input. 

Once the code is entered, they can view the decrypted message, and respond with an encrypted Email of their own while in the communication room.

Examine Your Assumptions

We could mention many more assumptions about healthcare security, such as “Hackers don’t bother with small to medium-sized businesses, do they?” (Wrong – they’ll hack you regardless of size); or, “I took a course, so I’m HIPAA compliant now!” (nope) – but this is a good start. 

Know that ultimately, questioning your assumptions helps eliminate risks – both to patients and your business. That’s time well spent, especially if it helps them both to thrive.

If you have any questions about data security or HIPAA Vault’s fully managed services, please contact us! 760-290-3460.

Stephen is an award-winning writer with a depth of experience in healthcare security and HIPAA compliance. In addition to writing for HIPAA Vault, his work has been published in Security Magazine, New England Society for Healthcare Communications, and others. Stephen has a degree in Engineering from Temple University, and can be reached at strout@hipaavault.com.